Network Working Group J. Song Request for Comments: 4615 R. Poovendran Category: Standards Track University of Washington J. Lee Samsung Electronics T. Iwata Nagoya University August 2006
Network Working Group J. Song Request for Comments: 4615 R. Poovendran Category: Standards Track University of Washington J. Lee Samsung Electronics T. Iwata Nagoya University August 2006
The Advanced Encryption Standard-Cipher-based Message Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128) Algorithm for the Internet Key Exchange Protocol (IKE)
Internet密钥交换协议(IKE)的高级加密标准基于密码的消息认证码伪随机函数-128(AES-CMAC-PRF-128)算法
Status of This Memo
关于下段备忘
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2006).
版权所有(C)互联网协会(2006年)。
Abstract
摘要
Some implementations of IP Security (IPsec) may want to use a pseudo-random function (PRF) based on the Advanced Encryption Standard (AES). This memo describes such an algorithm, called AES-CMAC-PRF-128. It supports fixed and variable key sizes.
IP安全(IPsec)的一些实现可能希望使用基于高级加密标准(AES)的伪随机函数(PRF)。本备忘录描述了一种称为AES-CMAC-PRF-128的算法。它支持固定键大小和可变键大小。
Table of Contents
目录
1. Introduction ....................................................2 2. Basic Definitions ...............................................2 3. The AES-CMAC-PRF-128 Algorithm ..................................2 4. Test Vectors ....................................................4 5. Security Considerations .........................................4 6. IANA Considerations .............................................5 7. Acknowledgements ................................................5 8. References ......................................................5 8.1. Normative References .......................................5 8.2. Informative References .....................................5
1. Introduction ....................................................2 2. Basic Definitions ...............................................2 3. The AES-CMAC-PRF-128 Algorithm ..................................2 4. Test Vectors ....................................................4 5. Security Considerations .........................................4 6. IANA Considerations .............................................5 7. Acknowledgements ................................................5 8. References ......................................................5 8.1. Normative References .......................................5 8.2. Informative References .....................................5
[RFC4493] describes a method to use the Advanced Encryption Standard (AES) as a Message Authentication Code (MAC) that has a 128-bit output length. The 128-bit output is useful as a long-lived pseudo-random function (PRF). This document specifies a PRF that supports fixed and variable key sizes for IKEv2 [RFC4306] Key Derivation Function (KDF) and authentication.
[RFC4493]描述了一种将高级加密标准(AES)用作具有128位输出长度的消息认证码(MAC)的方法。128位输出作为长寿命伪随机函数(PRF)非常有用。本文档指定了一个PRF,该PRF支持IKEv2[RFC4306]密钥派生函数(KDF)和身份验证的固定和可变密钥大小。
VK Variable-length key for AES-CMAC-PRF-128, denoted by VK.
AES-CMAC-PRF-128的VK可变长度密钥,由VK表示。
0^128 The string that consists of 128 zero-bits, which is equivalent to 0x00000000000000000000000000000000 in hexadecimal notation.
0^128由128个零位组成的字符串,相当于十六进制表示法中的0x00000000000000000000。
AES-CMAC The AES-CMAC algorithm with a 128-bit long key described in section 2.4 of [RFC4493].
AES-CMAC——具有[RFC4493]第2.4节所述128位长密钥的AES-CMAC算法。
The AES-CMAC-PRF-128 algorithm is identical to AES-CMAC defined in [RFC4493] except that the 128-bit key length restriction is removed.
AES-CMAC-PRF-128算法与[RFC4493]中定义的AES-CMAC相同,只是删除了128位密钥长度限制。
IKEv2 [RFC4306] uses PRFs for multiple purposes, most notably for generating keying material and authentication of the IKE_SA. The IKEv2 specification differentiates between PRFs with fixed key sizes and those with variable key sizes.
IKEv2[RFC4306]将PRF用于多种用途,尤其是用于生成密钥材料和IKE_SA的认证。IKEv2规范区分了具有固定密钥大小的PRF和具有可变密钥大小的PRF。
When using AES-CMAC-PRF-128 as the PRF described in IKEv2, AES-CMAC-PRF-128 is considered to take fixed size (16 octets) keys for generating keying material but it takes variable key sizes for authentication.
当使用AES-CMAC-PRF-128作为IKEv2中描述的PRF时,AES-CMAC-PRF-128被认为采用固定大小(16个八位字节)的密钥来生成密钥材料,但它采用可变的密钥大小来进行身份验证。
That is, when generating keying material, "half the bits must come from Ni and half from Nr, taking the first bits of each" as described in IKEv2, section 2.14; but for authenticating with shared secrets (IKEv2, section 2.16), the shared secret does not have to be 16 octets and the length may vary.
也就是说,在生成键控材料时,“一半的位必须来自Ni,一半来自Nr,取每个的第一位”,如IKEv2第2.14节所述;但对于使用共享机密进行身份验证(IKEv2,第2.16节),共享机密不必是16个八位字节,长度可能会有所不同。
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + AES-CMAC-PRF-128 + +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + + + Input : VK (Variable-length key) + + : M (Message, i.e., the input data of the PRF) + + : VKlen (length of VK in octets) + + : len (length of M in octets) + + Output : PRV (128-bit Pseudo-Random Variable) + + + +-------------------------------------------------------------------+ + Variable: K (128-bit key for AES-CMAC) + + + + Step 1. If VKlen is equal to 16 + + Step 1a. then + + K := VK; + + Step 1b. else + + K := AES-CMAC(0^128, VK, VKlen); + + Step 2. PRV := AES-CMAC(K, M, len); + + return PRV; + + + +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + AES-CMAC-PRF-128 + +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + + + Input : VK (Variable-length key) + + : M (Message, i.e., the input data of the PRF) + + : VKlen (length of VK in octets) + + : len (length of M in octets) + + Output : PRV (128-bit Pseudo-Random Variable) + + + +-------------------------------------------------------------------+ + Variable: K (128-bit key for AES-CMAC) + + + + Step 1. If VKlen is equal to 16 + + Step 1a. then + + K := VK; + + Step 1b. else + + K := AES-CMAC(0^128, VK, VKlen); + + Step 2. PRV := AES-CMAC(K, M, len); + + return PRV; + + + +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Figure 1. The AES-CMAC-PRF-128 Algorithm
图1。AES-CMAC-PRF-128算法
In step 1, the 128-bit key, K, for AES-CMAC is derived as follows:
在步骤1中,AES-CMAC的128位密钥K推导如下:
o If the key, VK, is exactly 128 bits, then we use it as-is.
o 如果密钥VK正好是128位,那么我们按原样使用它。
o If it is longer or shorter than 128 bits, then we derive the key, K, by applying the AES-CMAC algorithm using the 128-bit all-zero string as the key and VK as the input message. This step is described in step 1b.
o 如果长度大于或小于128位,则通过应用AES-CMAC算法,使用128位全零字符串作为密钥,VK作为输入消息,推导出密钥K。该步骤在步骤1b中描述。
In step 2, we apply the AES-CMAC algorithm using K as the key and M as the input message. The output of this algorithm is returned.
在步骤2中,我们采用AES-CMAC算法,使用K作为密钥,M作为输入消息。返回此算法的输出。
------------------------------------------------------------
------------------------------------------------------------
Test Case AES-CMAC-PRF-128 with 20-octet input Key : 00010203 04050607 08090a0b 0c0d0e0f edcb Key Length : 18 Message : 00010203 04050607 08090a0b 0c0d0e0f 10111213 PRF Output : 84a348a4 a45d235b abfffc0d 2b4da09a
测试用例AES-CMAC-PRF-128,带20个八位字节输入密钥:00010203 04050607 08090a0b 0c0d0e0f edcb密钥长度:18消息:00010203 04050607 08090a0b 0c0d0e0f 10111213 PRF输出:84a348a4 a45d235b abfffc0d 2b4da09a
Test Case AES-CMAC-PRF-128 with 20-octet input Key : 00010203 04050607 08090a0b 0c0d0e0f Key Length : 16 Message : 00010203 04050607 08090a0b 0c0d0e0f 10111213 PRF Output : 980ae87b 5f4c9c52 14f5b6a8 455e4c2d
测试用例AES-CMAC-PRF-128,带20个八位输入键:00010203 04050607 08090a0b 0c0d0e0f键长:16消息:00010203 04050607 08090a0b 0c0d0e0f 10111213 PRF输出:980ae87b 5f4c9c52 14f5b6a8 455e4c2d
Test Case AES-CMAC-PRF-128 with 20-octet input Key : 00010203 04050607 0809 Key Length : 10 Message : 00010203 04050607 08090a0b 0c0d0e0f 10111213 PRF Output : 290d9e11 2edb09ee 141fcf64 c0b72f3d
测试用例AES-CMAC-PRF-128,带20个八位输入键:00010203 04050607 0809键长:10消息:00010203 04050607 08090a0b 0c0d0e0f 10111213 PRF输出:290d9e11 2edb09ee 141fcf64 c0b72f3d
------------------------------------------------------------
------------------------------------------------------------
The security provided by AES-CMAC-PRF-128 is based upon the strength of AES and AES-CMAC. At the time of this writing, there are no known practical cryptographic attacks against AES or AES-CMAC. However, as is true with any cryptographic algorithm, part of its strength lies in the secret key, VK, and the correctness of the implementation in all of the participating systems. The key, VK, needs to be chosen independently and randomly based on RFC 4086 [RFC4086], and both keys, VK and K, should be kept safe and periodically refreshed. Section 4 presents test vectors that assist in verifying the correctness of the AES-CMAC-PRF-128 code.
AES-CMAC-PRF-128提供的安全性基于AES和AES-CMAC的强度。在撰写本文时,还没有已知的针对AES或AES-CMAC的实用加密攻击。然而,与任何加密算法一样,它的一部分优势在于密钥VK和所有参与系统中实现的正确性。需要根据RFC 4086[RFC4086]独立随机地选择密钥VK,并且两个密钥VK和K都应保持安全并定期刷新。第4节介绍了有助于验证AES-CMAC-PRF-128代码正确性的测试向量。
If VK is longer than 128 bits and it is shortened to meet the AES-128 key size, then some entropy might be lost. However, as long as VK is longer than 128 bits, then the new key, K, preserves sufficient entropy, i.e., the entropy of K is about 128 bits.
如果VK大于128位,并缩短以满足AES-128密钥大小,则可能会丢失一些熵。然而,只要VK大于128位,则新密钥K保持足够的熵,即K的熵约为128位。
Therefore, we recommend the use of VK that is longer than or equal to 128 bits, and we discourage the use of VK that is shorter than or equal to 64 bits, because of the small entropy.
因此,我们建议使用大于或等于128位的VK,我们不鼓励使用小于或等于64位的VK,因为熵很小。
IANA has allocated a value of 8 for IKEv2 Transform Type 2 (Pseudo-Random Function) to the PRF_AES128_CMAC algorithm.
IANA已将IKEv2变换类型2(伪随机函数)的值8分配给PRF_AES128_CMAC算法。
Portions of this text were borrowed from [RFC3664] and [RFC4434]. Many thanks to Russ Housley and Paul Hoffman for suggestions and guidance. We also thank Alfred Hoenes for many useful comments.
本文的部分内容借用自[RFC3664]和[RFC4434]。非常感谢Russ Housley和Paul Hoffman的建议和指导。我们还感谢阿尔弗雷德·霍恩斯提出的许多有益的意见。
We acknowledge support from the following grants: Collaborative Technology Alliance (CTA) from US Army Research Laboratory, DAAD19-01-2-0011; Presidential Award from Army Research Office,- W911NF-05-1-0491; ONR YIP N00014-04-1-0479. Results do not reflect any position of the funding agencies.
我们感谢以下赠款的支持:美国陆军研究实验室合作技术联盟(CTA),DAAD19-01-2-0011;陆军研究室颁发的总统奖,-W911NF-05-1-0491;叶国荣N00014-04-1-0479。结果并不反映资助机构的任何立场。
[RFC4493] Song, JH., Poovendran, R., Lee, J., and T. Iwata, "The AES-CMAC Algorithm", RFC 4493, June 2006.
[RFC4493]Song,JH.,Poovendran,R.,Lee,J.,和T.Iwata,“AES-CMAC算法”,RFC 4493,2006年6月。
[RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", RFC 4306, December 2005.
[RFC4306]Kaufman,C.,“互联网密钥交换(IKEv2)协议”,RFC43062005年12月。
[RFC4086] Eastlake, D., 3rd, Schiller, J., and S. Crocker, "Randomness Requirements for Security", BCP 106, RFC 4086, June 2005.
[RFC4086]伊斯特莱克,D.,3,席勒,J.和S.克罗克,“安全的随机性要求”,BCP 106,RFC 4086,2005年6月。
[RFC3664] Hoffman, P., "The AES-XCBC-PRF-128 Algorithm for the Internet Key Exchange Protocol (IKE)", RFC 3664, January 2004.
[RFC3664]Hoffman,P.,“互联网密钥交换协议(IKE)的AES-XCBC-PRF-128算法”,RFC 3664,2004年1月。
[RFC4434] Hoffman, P., "The AES-XCBC-PRF-128 Algorithm for the Internet Key Exchange Protocol (IKE)", RFC 4434, February 2006.
[RFC4434]Hoffman,P.,“互联网密钥交换协议(IKE)的AES-XCBC-PRF-128算法”,RFC 4434,2006年2月。
Authors' Addresses
作者地址
JunHyuk Song Samsung Electronics University of Washington Phone: (206) 853-5843
骏歌三星电子华盛顿大学电话:(206)83-5843
EMail: junhyuk.song@samsung.com, junhyuk.song@gmail.com
EMail: junhyuk.song@samsung.com, junhyuk.song@gmail.com
Radha Poovendran Network Security Lab University of Washington Phone: (206) 221-6512
RADHA PoVeDrand网络安全实验室华盛顿大学电话:(206)221-612
EMail: radha@ee.washington.edu
EMail: radha@ee.washington.edu
Jicheol Lee Samsung Electronics Phone: +82-31-279-3605
Jicheol Lee三星电子手机:+82-31-279-3605
EMail: jicheol.lee@samsung.com
EMail: jicheol.lee@samsung.com
Tetsu Iwata Nagoya University
岩田德洙名古屋大学
EMail: iwata@cse.nagoya-u.ac.jp
EMail: iwata@cse.nagoya-u.ac.jp
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2006).
版权所有(C)互联网协会(2006年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA).
RFC编辑器功能的资金由IETF行政支持活动(IASA)提供。