Network Working Group D. Harkins Request for Comments: 5297 Aruba Networks Category: Informational October 2008
Network Working Group D. Harkins Request for Comments: 5297 Aruba Networks Category: Informational October 2008
Synthetic Initialization Vector (SIV) Authenticated Encryption Using the Advanced Encryption Standard (AES)
使用高级加密标准(AES)的合成初始化向量(SIV)认证加密
Status of This Memo
关于下段备忘
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Abstract
摘要
This memo describes SIV (Synthetic Initialization Vector), a block cipher mode of operation. SIV takes a key, a plaintext, and multiple variable-length octet strings that will be authenticated but not encrypted. It produces a ciphertext having the same length as the plaintext and a synthetic initialization vector. Depending on how it is used, SIV achieves either the goal of deterministic authenticated encryption or the goal of nonce-based, misuse-resistant authenticated encryption.
本备忘录描述了SIV(合成初始化向量),一种分组密码操作模式。SIV接受一个密钥、一个明文和多个可变长度的八位字节字符串,这些字符串将经过身份验证,但不会加密。它生成与明文长度相同的密文和合成初始化向量。根据其使用方式,SIV可以实现确定性身份验证加密的目标,也可以实现基于nonce的防误用身份验证加密的目标。
Table of Contents
目录
1. Introduction ....................................................3 1.1. Background .................................................3 1.2. Definitions ................................................4 1.3. Motivation .................................................4 1.3.1. Key Wrapping ........................................4 1.3.2. Resistance to Nonce Misuse/Reuse ....................4 1.3.3. Key Derivation ......................................5 1.3.4. Robustness versus Performance .......................6 1.3.5. Conservation of Cryptographic Primitives ............6 2. Specification of SIV ............................................6 2.1. Notation ...................................................6 2.2. Overview ...................................................7 2.3. Doubling ...................................................7 2.4. S2V ........................................................8 2.5. CTR .......................................................10 2.6. SIV Encrypt ...............................................10 2.7. SIV Decrypt ...............................................12 3. Nonce-Based Authenticated Encryption with SIV ..................14 4. Deterministic Authenticated Encryption with SIV ................15 5. Optimizations ..................................................15 6. IANA Considerations ............................................15 6.1. AEAD_AES_SIV_CMAC_256 .....................................17 6.2. AEAD_AES_SIV_CMAC_384 .....................................17 6.3. AEAD_AES_SIV_CMAC_512 .....................................18 7. Security Considerations ........................................18 8. Acknowledgments ................................................19 9. References .....................................................19 9.1. Normative References ......................................19 9.2. Informative References ....................................19 Appendix A. Test Vectors ....................................... 22 A.1. Deterministic Authenticated Encryption Example ........... 22 A.2. Nonce-Based Authenticated Encryption Example ............. 23
1. Introduction ....................................................3 1.1. Background .................................................3 1.2. Definitions ................................................4 1.3. Motivation .................................................4 1.3.1. Key Wrapping ........................................4 1.3.2. Resistance to Nonce Misuse/Reuse ....................4 1.3.3. Key Derivation ......................................5 1.3.4. Robustness versus Performance .......................6 1.3.5. Conservation of Cryptographic Primitives ............6 2. Specification of SIV ............................................6 2.1. Notation ...................................................6 2.2. Overview ...................................................7 2.3. Doubling ...................................................7 2.4. S2V ........................................................8 2.5. CTR .......................................................10 2.6. SIV Encrypt ...............................................10 2.7. SIV Decrypt ...............................................12 3. Nonce-Based Authenticated Encryption with SIV ..................14 4. Deterministic Authenticated Encryption with SIV ................15 5. Optimizations ..................................................15 6. IANA Considerations ............................................15 6.1. AEAD_AES_SIV_CMAC_256 .....................................17 6.2. AEAD_AES_SIV_CMAC_384 .....................................17 6.3. AEAD_AES_SIV_CMAC_512 .....................................18 7. Security Considerations ........................................18 8. Acknowledgments ................................................19 9. References .....................................................19 9.1. Normative References ......................................19 9.2. Informative References ....................................19 Appendix A. Test Vectors ....................................... 22 A.1. Deterministic Authenticated Encryption Example ........... 22 A.2. Nonce-Based Authenticated Encryption Example ............. 23
Various attacks have been described (e.g., [BADESP]) when data is merely privacy protected and not additionally authenticated or integrity protected. Therefore, combined modes of encryption and authentication have been developed ([RFC5116], [RFC3610], [GCM], [JUTLA], [OCB]). These provide conventional authenticated encryption when used with a nonce ("a number used once") and typically accept additional inputs that are authenticated but not encrypted, hereinafter referred to as "associated data" or AD.
当数据仅受隐私保护,而没有额外的身份验证或完整性保护时,已经描述了各种攻击(例如,[BADESP])。因此,开发了加密和认证的组合模式([RFC5116]、[RFC3610]、[GCM]、[JUTLA]、[OCB])。当与nonce(一次使用的数字)一起使用时,它们提供常规的认证加密,并且通常接受认证但未加密的额外输入,以下称为“关联数据”或AD。
A deterministic, nonce-less, form of authenticated encryption has been used to protect the transportation of cryptographic keys (e.g., [X9F1], [RFC3217], [RFC3394]). This is generally referred to as "Key Wrapping".
一种确定性的、非即时的认证加密形式已被用于保护加密密钥的传输(例如,[X9F1]、[RFC3217]、[RFC3394])。这通常被称为“密钥包装”。
This memo describes a new block cipher mode, SIV, that provides both nonce-based authenticated encryption as well as deterministic, nonce-less key wrapping. It contains a Pseudo-Random Function (PRF) construction called S2V and an encryption/decryption construction, called CTR. SIV was specified by Phillip Rogaway and Thomas Shrimpton in [DAE]. The underlying block cipher used herein for both S2V and CTR is AES with key lengths of 128 bits, 192 bits, or 256 bits. S2V uses AES in Cipher-based Message Authentication Code ([CMAC]) mode, CTR uses AES in counter ([MODES]) mode.
本备忘录描述了一种新的分组密码模式SIV,它既提供了基于nonce的认证加密,也提供了确定性的无nonce密钥包装。它包含一个名为S2V的伪随机函数(PRF)结构和一个名为CTR的加密/解密结构。SIV由Phillip Rogaway和Thomas Shrimpton在[DAE]中指定。本文中用于S2V和CTR的底层分组密码是密钥长度为128位、192位或256位的AES。S2V在基于密码的消息身份验证码([CMAC])模式下使用AES,CTR在计数器([MODES])模式下使用AES。
Associated data is data input to an authenticated-encryption mode that will be authenticated but not encrypted. [RFC5116] says that associated data can include "addresses, ports, sequence numbers, protocol version numbers, and other fields that indicate how the plaintext or ciphertext should be handled, forwarded, or processed". These are multiple, distinct inputs and may not be contiguous. Other authenticated-encryption cipher modes allow only a single associated data input. Such a limitation may require implementation of a scatter/gather form of data marshalling to combine the multiple components of the associated data into a single input or may require a pre-processing step where the associated data inputs are concatenated together. SIV accepts multiple variable-length octet strings (hereinafter referred to as a "vector of strings") as associated data inputs. This obviates the need for data marshalling or pre-processing of associated data to package it into a single input.
关联数据是输入到经过身份验证的加密模式的数据,该加密模式将经过身份验证但未加密。[RFC5116]指出,相关数据可以包括“地址、端口、序列号、协议版本号以及其他指示如何处理、转发或处理明文或密文的字段”。这些是多个不同的输入,可能不是连续的。其他经过身份验证的加密密码模式仅允许单个关联数据输入。这种限制可能需要实现分散/聚集形式的数据编组,以将关联数据的多个组件组合成单个输入,或者可能需要将关联数据输入串联在一起的预处理步骤。SIV接受多个可变长度八位字节字符串(以下称为“字符串向量”)作为相关数据输入。这样就无需对相关数据进行数据编组或预处理以将其打包到单个输入中。
By allowing associated data to consist of a vector of strings SIV also obviates the requirement to encode the length of component fields of the associated data when those fields have variable length.
通过允许关联数据由字符串向量组成,SIV还避免了当相关数据的分量字段具有可变长度时,对这些字段的长度进行编码的要求。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[RFC2119]中所述进行解释。
A key distribution protocol must protect keys it is distributing. This has not always been done correctly. For example, RADIUS [RFC2865] uses Microsoft Point-to-Point Encryption (MPPE) [RFC2548] to encrypt a key prior to transmission from server to client. It provides no integrity checking of the encrypted key. [RADKEY] specifies the use of [RFC3394] to wrap a key in a RADIUS request but because of the inability to pass associated data, a Hashed Message Authentication Code (HMAC) [RFC2104] is necessary to provide authentication of the entire request.
密钥分发协议必须保护它正在分发的密钥。这并不总是正确的。例如,RADIUS[RFC2865]使用Microsoft点对点加密(MPPE)[RFC2548]在从服务器传输到客户端之前对密钥进行加密。它不提供加密密钥的完整性检查。[RADKEY]指定使用[RFC3394]在RADIUS请求中封装密钥,但由于无法传递相关数据,需要使用哈希消息身份验证码(HMAC)[RFC2104]来提供整个请求的身份验证。
SIV can be used as a drop-in replacement for any specification that uses [RFC3394] or [RFC3217], including the aforementioned use. It is a more general purpose solution as it allows for associated data to be specified.
SIV可作为使用[RFC3394]或[RFC3217]的任何规范的替代品,包括上述用途。它是一个更通用的解决方案,因为它允许指定关联的数据。
The nonce-based authenticated encryption schemes described above are susceptible to reuse and/or misuse of the nonce. Depending on the specific scheme there are subtle and critical requirements placed on the nonce (see [SP800-38D]). [GCM] states that it provides "excellent security" if its nonce is guaranteed to be distinct but provides "no security" otherwise. Confidentiality guarantees are voided if a counter in [RFC3610] is reused. In many cases, guaranteeing no reuse of a nonce/counter/IV is not a problem, but in others it will be.
上述基于nonce的认证加密方案易于重用和/或误用nonce。根据具体方案的不同,目前存在一些微妙和关键的要求(见[SP800-38D])。[GCM]声明,如果保证其nonce是不同的,则它提供“出色的安全性”,否则它将“不提供安全性”。如果重复使用[RFC3610]中的计数器,则机密性保证无效。在许多情况下,保证不重用nonce/counter/IV不是问题,但在其他情况下则是问题。
For example, many applications obtain access to cryptographic functions via an application program interface to a cryptographic library. These libraries are typically not stateful and any nonce, initialization vector, or counter required by the cipher mode is passed to the cryptographic library by the application. Putting the construction of a security-critical datum outside the control of the encryption engine places an onerous burden on the application writer who may not provide the necessary cryptographic hygiene. Perhaps his random number generator is not very good or maybe an application fault causes a counter to be reset. The fragility of the cipher mode may result in its inadvertent misuse. Also, if one's environment is
例如,许多应用程序通过加密库的应用程序接口获得对加密函数的访问。这些库通常不是有状态的,应用程序将密码模式所需的任何nonce、初始化向量或计数器传递给加密库。将安全关键数据的构造置于加密引擎的控制之外会给应用程序编写者带来沉重的负担,他们可能无法提供必要的加密卫生。也许他的随机数发生器不是很好,或者可能是应用程序故障导致计数器复位。密码模式的脆弱性可能导致其意外误用。另外,如果一个人的环境是
(knowingly or unknowingly) a virtual machine, it may be possible to roll back a virtual state machine and cause nonce reuse thereby gutting the security of the authenticated encryption scheme (see [VIRT]).
(有意或无意)在虚拟机中,可能回滚虚拟状态机并导致暂时重用,从而破坏经过身份验证的加密方案的安全性(请参见[VIRT])。
If the nonce is random, a requirement that it never repeat will limit the amount of data that can be safely protected with a single key to one block. More sensibly, a random nonce is required to "almost always" be non-repeating, but that will drastically limit the amount of data that can be safely protected.
如果nonce是随机的,则它永远不会重复的要求将限制使用单个密钥可以安全保护的数据量为一个块。更明智的是,要求随机nonce“几乎总是”不重复,但这将极大地限制可以安全保护的数据量。
SIV provides a level of resistance to nonce reuse and misuse. If the nonce is never reused, then the usual notion of nonce-based security of an authenticated encryption mode is achieved. If, however, the nonce is reused, authenticity is retained and confidentiality is only compromised to the extent that an attacker can determine that the same plaintext (and same associated data) was protected with the same nonce and key. See Security Considerations (Section 7).
SIV提供了一定程度的抗暂时重用和误用能力。如果从不重用nonce,则实现了基于nonce的认证加密模式安全性的通常概念。但是,如果重新使用nonce,则会保留真实性,并且机密性只会在攻击者能够确定相同的明文(以及相同的关联数据)使用相同的nonce和密钥进行保护的情况下受到损害。见安全注意事项(第7节)。
A PRF is frequently used as a key derivation function (e.g., [WLAN]) by passing it a key and a single string. Typically, this single string is the concatenation of a series of smaller strings -- for example, a label and some context to bind into the derived string.
PRF通常作为密钥派生函数(例如,[WLAN])使用,方法是向其传递密钥和单个字符串。通常,这个字符串是一系列较小字符串的串联——例如,要绑定到派生字符串中的标签和一些上下文。
These are usually multiple strings but are mapped to a single string because of the way PRFs are typically defined -- two inputs: a key and data. Such a crude mapping is inefficient because additional data must be included -- the length of variable-length inputs must be encoded separately -- and, depending on the PRF, memory allocation and copying may be needed. Also, if only one or two of the inputs changed when deriving a new key, it may still be necessary to process all of the other constants that preceded it every time the PRF is invoked.
这些通常是多个字符串,但由于PRF通常的定义方式,它们被映射到单个字符串——两个输入:一个键和一个数据。这种粗略的映射效率低下,因为必须包含额外的数据——可变长度输入的长度必须单独编码——并且,根据PRF,可能需要内存分配和复制。此外,如果在派生新密钥时只有一个或两个输入发生了更改,则每次调用PRF时可能仍需要处理其前面的所有其他常量。
When a PRF is used in this manner its input is a vector of strings and not a single string and the PRF should handle the data as such. The S2V ("string to vector") PRF construction accepts a vector of inputs and provides a more natural mapping of input that does not require additional lengths encodings and obviates the memory and processing overhead to marshal inputs and their encoded lengths into a single string. Constant inputs to the PRF need only be computed once.
以这种方式使用PRF时,其输入是字符串向量,而不是单个字符串,PRF应按此方式处理数据。S2V(“字符串到向量”)PRF结构接受输入向量,并提供更自然的输入映射,不需要额外的长度编码,并消除将输入及其编码长度封送到单个字符串的内存和处理开销。PRF的恒定输入只需计算一次。
SIV cannot perform at the same high throughput rates that other authenticated encryption schemes can (e.g., [GCM] or [OCB]) due to the requirement for two passes of the data, but for situations where performance is not a limiting factor -- e.g., control plane applications -- it can provide a robust alternative, especially when considering its resistance to nonce reuse.
由于对两次数据传输的要求,SIV无法以其他认证加密方案(例如[GCM]或[OCB])所能达到的同样高吞吐率运行,但对于性能不是限制因素的情况(例如,控制平面应用),SIV可以提供一种稳健的替代方案,特别是考虑到它对暂时重用的抵抗力。
The cipher mode described herein can do authenticated encryption, key wrapping, key derivation, and serve as a generic message authentication algorithm. It is therefore possible to implement all these functions with a single tool, instead of one tool for each function. This is extremely attractive for devices that are memory and/or processor constrained and that cannot afford to implement multiple cryptographic primitives to accomplish these functions.
本文描述的密码模式可以进行认证加密、密钥包装、密钥导出,并用作通用消息认证算法。因此,可以使用单个工具实现所有这些功能,而不是每个功能使用一个工具。这对于内存和/或处理器受限且无法实现多个加密原语来完成这些功能的设备非常有吸引力。
SIV and S2V use the following notation:
SIV和S2V使用以下符号:
len(A) returns the number of bits in A.
len(A)返回A中的位数。
pad(X) indicates padding of string X, len(X) < 128, out to 128 bits by the concatenation of a single bit of 1 followed by as many 0 bits as are necessary.
pad(X)表示字符串X的填充,len(X)<128,通过将单个1位与所需的0位串联在一起,输出到128位。
leftmost(A,n) the n most significant bits of A.
最左边(A,n)A的n个最高有效位。
rightmost(A,n) the n least significant bits of A.
最右边(A,n)A的n个最低有效位。
A || B means concatenation of string A with string B.
A | | B表示字符串A与字符串B的串联。
A xor B is the exclusive OR operation on two equal length strings, A and B.
异或B是对两个等长字符串A和B的异或运算。
A xorend B where len(A) >= len(B), means xoring a string B onto the end of string A -- i.e., leftmost(A, len(A)-len(B)) || (rightmost(A, len(B)) xor B).
xorend B,其中len(A)>=len(B)表示将字符串B xoring到字符串A的末端——即,最左边的(A,len(A)-len(B))| |(最右边的(A,len(B))xor B)。
A bitand B is the logical AND operation on two equal length strings, A and B.
位A和B是对两个等长字符串A和B的逻辑“与”运算。
dbl(S) is the multiplication of S and 0...010 in the finite field represented using the primitive polynomial x^128 + x^7 + x^2 + x + 1. See Doubling (Section 2.3).
dbl(S)是S和0…010在有限域中的乘积,用本原多项式x^128+x^7+x^2+x+1表示。参见倍增(第2.3节)。
a^b indicates a string that is "b" bits, each having the value "a".
a^b表示一个为“b”位的字符串,每个位的值为“a”。
<zero> indicates a string that is 128 zero bits.
<zero>表示128个零位的字符串。
<one> indicates a string that is 127 zero bits concatenated with a single one bit, that is 0^127 || 1^1.
<one>表示127个零位与单个1位(即0^127 | | 1^1)连接的字符串。
A/B indicates the greatest integer less than or equal to the real-valued quotient of A and B.
A/B表示小于或等于A和B实值商的最大整数。
E(K,X) indicates AES encryption of string X using key K.
E(K,X)表示使用密钥K对字符串X进行AES加密。
SIV-AES uses AES in CMAC mode (S2V) and in counter mode (CTR). SIV-AES takes either a 256-, 384-, or 512-bit key (which is broken up into two equal-sized keys, one for S2V and the other for CTR), a variable length plaintext, and multiple variable-length strings representing associated data. Its output is a ciphertext that comprises a synthetic initialization vector concatenated with the encrypted plaintext.
SIV-AES在CMAC模式(S2V)和计数器模式(CTR)下使用AES。SIV-AES采用256、384或512位密钥(分为两个大小相等的密钥,一个用于S2V,另一个用于CTR)、可变长度明文和表示相关数据的多个可变长度字符串。它的输出是一个密文,由一个合成初始化向量和加密的明文连接而成。
The doubling operation on a 128-bit input string is performed using a left-shift of the input followed by a conditional xor operation on the result with the constant:
对128位输入字符串执行加倍操作时,使用输入左移,然后对结果执行条件异或操作,该结果为常数:
00000000 00000000 00000000 00000087
00000000 00000000 00000000 00000087
The condition under which the xor operation is performed is when the bit being shifted off is one.
执行异或操作的条件是当被移位的位为1时。
Note that this is the same operation used to generate sub-keys for CMAC-AES.
请注意,这与用于为CMAC-AES生成子密钥的操作相同。
The S2V operation consists of the doubling and xoring of the outputs of a pseudo-random function, CMAC, operating over individual strings in the input vector: S1, S2, ... , Sn. It is bootstrapped by performing CMAC on a 128-bit string of zeros. If the length of the final string in the vector is greater than or equal to 128 bits, the output of the double/xor chain is xored onto the end of the final input string. That result is input to a final CMAC operation to produce the output V. If the length of the final string is less than 128 bits, the output of the double/xor chain is doubled once more and it is xored with the final string padded using the padding function pad(X). That result is input to a final CMAC operation to produce the output V.
S2V操作包括伪随机函数CMAC输出的加倍和异或运算,该函数在输入向量S1、S2、…、中的单个字符串上运行,锡。它是通过在128位的零字符串上执行CMAC来引导的。如果向量中最后一个字符串的长度大于或等于128位,则双/xor链的输出将异或到最后一个输入字符串的末尾。该结果被输入到最终CMAC操作以产生输出V。如果最终字符串的长度小于128位,则double/xor链的输出将再次加倍,并与使用填充功能垫(X)填充的最终字符串异或。该结果被输入到最终的CMAC操作以产生输出V。
S2V with key K on a vector of n inputs S1, S2, ..., Sn-1, Sn, and len(Sn) >= 128:
在n个输入S1、S2、…、Sn-1、Sn和len(Sn)>=128的向量上具有键K的S2V:
+----+ +----+ +------+ +----+ | S1 | | S2 | . . . | Sn-1 | | Sn | +----+ +----+ +------+ +----+ <zero> K | | | | | | | | | V V | V V V /----> xorend +-----+ | +-----+ +-----+ +-----+ | | | AES-|<----->| AES-| K-->| AES-| K--->| AES-| | | | CMAC| | CMAC| | CMAC| | CMAC| | | +-----+ +-----+ +-----+ +-----+ | V | | | | | +-----+ | | | | | K-->| AES-| | | | | | | CMAC| | | | | | +-----+ \-> dbl -> xor -> dbl -> xor -> dbl -> xor---/ | V +---+ | V | +---+
+----+ +----+ +------+ +----+ | S1 | | S2 | . . . | Sn-1 | | Sn | +----+ +----+ +------+ +----+ <zero> K | | | | | | | | | V V | V V V /----> xorend +-----+ | +-----+ +-----+ +-----+ | | | AES-|<----->| AES-| K-->| AES-| K--->| AES-| | | | CMAC| | CMAC| | CMAC| | CMAC| | | +-----+ +-----+ +-----+ +-----+ | V | | | | | +-----+ | | | | | K-->| AES-| | | | | | | CMAC| | | | | | +-----+ \-> dbl -> xor -> dbl -> xor -> dbl -> xor---/ | V +---+ | V | +---+
Figure 2
图2
S2V with key K on a vector of n inputs S1, S2, ..., Sn-1, Sn, and len(Sn) < 128:
在n个输入S1、S2、…、Sn-1、Sn和len(Sn)<128的向量上具有键K的S2V:
+----+ +----+ +------+ +---------+ | S1 | | S2 | . . . | Sn-1 | | pad(Sn) | +----+ +----+ +------+ +---------+ <zero> K | | | | | | | | | V V | V V V /------> xor +-----+ | +-----+ +-----+ +-----+ | | | AES-|<--->| AES-| K-->| AES-| K-->| AES-| | | | CMAC| | CMAC| | CMAC| | CMAC| | | +-----+ +-----+ +-----+ +-----+ | V | | | | | +-----+ | | | | | K-->| AES-| | | | | | | CMAC| | | | | | +-----+ \-> dbl -> xor -> dbl -> xor -> dbl -> xor-> dbl | V +---+ | V | +---+
+----+ +----+ +------+ +---------+ | S1 | | S2 | . . . | Sn-1 | | pad(Sn) | +----+ +----+ +------+ +---------+ <zero> K | | | | | | | | | V V | V V V /------> xor +-----+ | +-----+ +-----+ +-----+ | | | AES-|<--->| AES-| K-->| AES-| K-->| AES-| | | | CMAC| | CMAC| | CMAC| | CMAC| | | +-----+ +-----+ +-----+ +-----+ | V | | | | | +-----+ | | | | | K-->| AES-| | | | | | | CMAC| | | | | | +-----+ \-> dbl -> xor -> dbl -> xor -> dbl -> xor-> dbl | V +---+ | V | +---+
Figure 3
图3
Algorithmically S2V can be described as:
算法上,S2V可描述为:
S2V(K, S1, ..., Sn) { if n = 0 then return V = AES-CMAC(K, <one>) fi D = AES-CMAC(K, <zero>) for i = 1 to n-1 do D = dbl(D) xor AES-CMAC(K, Si) done if len(Sn) >= 128 then T = Sn xorend D else T = dbl(D) xor pad(Sn) fi return V = AES-CMAC(K, T) }
S2V(K, S1, ..., Sn) { if n = 0 then return V = AES-CMAC(K, <one>) fi D = AES-CMAC(K, <zero>) for i = 1 to n-1 do D = dbl(D) xor AES-CMAC(K, Si) done if len(Sn) >= 128 then T = Sn xorend D else T = dbl(D) xor pad(Sn) fi return V = AES-CMAC(K, T) }
CTR is a counter mode of AES. It takes as input a plaintext P of arbitrary length, a key K of length 128, 192, or 256 bits, and a counter X that is 128 bits in length, and outputs Z, which represents a concatenation of a synthetic initialization vector V and the ciphertext C, which is the same length as the plaintext.
CTR是AES的计数器模式。它将任意长度的明文P、长度为128、192或256位的密钥K和长度为128位的计数器X作为输入,并输出Z,其表示合成初始化向量V和与明文长度相同的密文C的串联。
The ciphertext is produced by xoring the plaintext with the first len(P) bits of the following string:
密文是通过将明文与以下字符串的第一个len(P)位异或生成的:
E(K, X) || E(K, X+1) || E(K, X+2) || ...
E(K,X)| | E(K,X+1)| | E(K,X+2)| |。。。
Before beginning counter mode, the 31st and 63rd bits (where the rightmost bit is the 0th bit) of the counter are cleared. This enables implementations that support native 32-bit (64-bit) addition to increment the counter modulo 2^32 (2^64) in a manner that cannot be distinguished from 128-bit increments, as long as the number of increment operations is limited by an upper bound that safely avoids carry to occur out of the respective pre-cleared bit. More formally, for 32-bit addition, the counter is incremented as:
在开始计数器模式之前,计数器的第31位和第63位(其中最右边的位是第0位)被清除。这使得支持本机32位(64位)加法的实现能够以无法与128位增量区分的方式递增计数器模2^32(2^64),只要递增操作的数量受到上限的限制,该上限可以安全地避免在各个预清除位之外发生进位。更正式地说,对于32位加法,计数器递增为:
SALT=leftmost(X,96)
盐=最左边(X,96)
n=rightmost(X,32)
n=最右边(X,32)
X+i = SALT || (n + i mod 2^32).
X+i=盐(n+i模2^32)。
For 64-bit addition, the counter is incremented as:
对于64位加法,计数器的增量为:
SALT=leftmost(X,64)
盐=最左边的(X,64)
n=rightmost(X,64)
n=最右边(X,64)
X+i = SALT || (n + i mod 2^64).
X+i=盐(n+i模2^64)。
Performing 32-bit or 64-bit addition on the counter will limit the amount of plaintext that can be safely protected by SIV-AES to 2^39 - 128 bits or 2^71 - 128 bits, respectively.
在计数器上执行32位或64位加法将SIV-AES可以安全保护的明文量分别限制为2^39-128位或2^71-128位。
SIV-encrypt takes as input a key K of length 256, 384, or 512 bits, plaintext of arbitrary length, and a vector of associated data AD[ ] where the number of components in the vector is not greater than 126 (see Section 7). It produces output, Z, which is the concatenation of a 128-bit synthetic initialization vector and ciphertext whose length is equal to the length of the plaintext.
SIV encrypt将长度为256、384或512位的密钥K、任意长度的明文和关联数据AD[]的向量作为输入,其中向量中的分量数不大于126(参见第7节)。它产生输出Z,它是128位合成初始化向量和长度等于明文长度的密文的串联。
The key is split into equal halves, K1 = leftmost(K, len(K)/2) and K2 = rightmost(K, len(K)/2). K1 is used for S2V and K2 is used for CTR.
键被分成相等的两半,K1=最左侧(K,len(K)/2)和K2=最右侧(K,len(K)/2)。K1用于S2V,K2用于CTR。
In the encryption mode, the associated data and plaintext represent the vector of inputs to S2V, with the plaintext being the last string in the vector. The output of S2V is a synthetic IV that represents the initial counter to CTR.
在加密模式下,相关数据和明文表示S2V的输入向量,明文是向量中的最后一个字符串。S2V的输出是一个合成IV,表示CTR的初始计数器。
The encryption construction of SIV is as follows:
SIV的加密结构如下:
+------+ +------+ +------+ +---+ | AD 1 | | AD 2 |...| AD n | | P | +------+ +------+ +------+ +---+ | | | | | | ... | ------------------| \ | / / | \ | / / +------------+ | \ | / / | K = K1||K2 | | \ | / / +------------+ V \ | / / | | +-----+ \ | / / K1 | | K2 | | \ | / / ------/ \------>| CTR | \ | / / / ------->| | | | | | | | +-----+ V V V V V | | +------------+ +--------+ V | S2V |------>| V | +----+ +------------+ +--------+ | C | | +----+ | | -----\ | \ | \ | V V +-----+ | Z | +-----+
+------+ +------+ +------+ +---+ | AD 1 | | AD 2 |...| AD n | | P | +------+ +------+ +------+ +---+ | | | | | | ... | ------------------| \ | / / | \ | / / +------------+ | \ | / / | K = K1||K2 | | \ | / / +------------+ V \ | / / | | +-----+ \ | / / K1 | | K2 | | \ | / / ------/ \------>| CTR | \ | / / / ------->| | | | | | | | +-----+ V V V V V | | +------------+ +--------+ V | S2V |------>| V | +----+ +------------+ +--------+ | C | | +----+ | | -----\ | \ | \ | V V +-----+ | Z | +-----+
where the plaintext is P, the associated data is AD1 through ADn, V is the synthetic IV, the ciphertext is C, and Z is the output.
其中,明文是P,相关数据是AD1到ADn,V是合成IV,密文是C,Z是输出。
Figure 8
图8
Algorithmically, SIV Encrypt can be described as:
从算法上讲,SIV加密可以描述为:
SIV-ENCRYPT(K, P, AD1, ..., ADn) { K1 = leftmost(K, len(K)/2) K2 = rightmost(K, len(K)/2) V = S2V(K1, AD1, ..., ADn, P) Q = V bitand (1^64 || 0^1 || 1^31 || 0^1 || 1^31) m = (len(P) + 127)/128
SIV-ENCRYPT(K, P, AD1, ..., ADn) { K1 = leftmost(K, len(K)/2) K2 = rightmost(K, len(K)/2) V = S2V(K1, AD1, ..., ADn, P) Q = V bitand (1^64 || 0^1 || 1^31 || 0^1 || 1^31) m = (len(P) + 127)/128
for i = 0 to m-1 do Xi = AES(K2, Q+i) done X = leftmost(X0 || ... || Xm-1, len(P)) C = P xor X
for i = 0 to m-1 do Xi = AES(K2, Q+i) done X = leftmost(X0 || ... || Xm-1, len(P)) C = P xor X
return V || C }
返回V | | C}
where the key length used by AES in CTR and S2V is len(K)/2 and will each be either 128 bits, 192 bits, or 256 bits.
其中,AES在CTR和S2V中使用的密钥长度为len(K)/2,并且每个密钥长度将为128位、192位或256位。
The 31st and 63rd bit (where the rightmost bit is the 0th) of the counter are zeroed out just prior to being used by CTR for optimization purposes, see Section 5.
计数器的第31位和第63位(其中最右边的位是第0位)在CTR用于优化之前被调零,见第5节。
SIV-decrypt takes as input a key K of length 256, 384, or 512 bits, Z, which represents a synthetic initialization vector V concatenated with a ciphertext C, and a vector of associated data AD[ ] where the number of components in the vector is not greater than 126 (see Section 7). It produces either the original plaintext or the special symbol FAIL.
SIV decrypt将长度为256、384或512位Z的密钥K作为输入,该密钥K表示与密文C连接的合成初始化向量V和关联数据AD[]的向量,其中向量中的分量数量不大于126(参见第7节)。它产生原始明文或特殊符号失败。
The key is split as specified in Section 2.6
按照第2.6节的规定拆分钥匙
The synthetic initialization vector acts as the initial counter to CTR to decrypt the ciphertext. The associated data and the output of CTR represent a vector of strings that is passed to S2V, with the CTR output being the last string in the vector. The output of S2V is then compared against the synthetic IV that accompanied the original ciphertext. If they match, the output from CTR is returned as the decrypted and authenticated plaintext; otherwise, the special symbol FAIL is returned.
合成初始化向量充当CTR的初始计数器来解密密文。关联数据和CTR的输出表示传递给S2V的字符串向量,CTR输出是向量中的最后一个字符串。然后将S2V的输出与原始密文附带的合成IV进行比较。如果它们匹配,CTR的输出将作为解密和认证的明文返回;否则,将返回特殊符号FAIL。
The decryption construction of SIV is as follows:
SIV的解密结构如下:
+------+ +------+ +------+ +---+ | AD 1 | | AD 2 |...| AD n | | P | +------+ +------+ +------+ +---+ | | | ^ | | ... / | | | / /----------------| | | / / | \ | / / +------------+ | \ | / / | K = K1||k2 | | \ | / / +------------+ | \ | / / | | +-----+ \ | / / K1 | | K2 | | \ | | | /-----/ \----->| CTR | \ | | | | ------->| | | | | | | | +-----+ V V V V V | ^ +-------------+ +--------+ | | S2V | | V | +---+ +-------------+ +--------+ | C | | | ^ +---+ | | | ^ | | \ | | | \___ | V V \ | +-------+ +---------+ +---+ | T |----->| if != | | Z | +-------+ +---------+ +---+ | | V FAIL
+------+ +------+ +------+ +---+ | AD 1 | | AD 2 |...| AD n | | P | +------+ +------+ +------+ +---+ | | | ^ | | ... / | | | / /----------------| | | / / | \ | / / +------------+ | \ | / / | K = K1||k2 | | \ | / / +------------+ | \ | / / | | +-----+ \ | / / K1 | | K2 | | \ | | | /-----/ \----->| CTR | \ | | | | ------->| | | | | | | | +-----+ V V V V V | ^ +-------------+ +--------+ | | S2V | | V | +---+ +-------------+ +--------+ | C | | | ^ +---+ | | | ^ | | \ | | | \___ | V V \ | +-------+ +---------+ +---+ | T |----->| if != | | Z | +-------+ +---------+ +---+ | | V FAIL
Figure 10
图10
Algorithmically, SIV-Decrypt can be described as:
从算法上讲,SIV解密可以描述为:
SIV-DECRYPT(K, Z, AD1, ..., ADn) { V = leftmost(Z, 128) C = rightmost(Z, len(Z)-128) K1 = leftmost(K, len(K)/2) K2 = rightmost(K, len(K)/2) Q = V bitand (1^64 || 0^1 || 1^31 || 0^1 || 1^31)
SIV-DECRYPT(K, Z, AD1, ..., ADn) { V = leftmost(Z, 128) C = rightmost(Z, len(Z)-128) K1 = leftmost(K, len(K)/2) K2 = rightmost(K, len(K)/2) Q = V bitand (1^64 || 0^1 || 1^31 || 0^1 || 1^31)
m = (len(C) + 127)/128 for i = 0 to m-1 do Xi = AES(K2, Q+i) done X = leftmost(X0 || ... || Xm-1, len(C)) P = C xor X T = S2V(K1, AD1, ..., ADn, P)
m = (len(C) + 127)/128 for i = 0 to m-1 do Xi = AES(K2, Q+i) done X = leftmost(X0 || ... || Xm-1, len(C)) P = C xor X T = S2V(K1, AD1, ..., ADn, P)
if T = V then return P else return FAIL fi }
如果T=V,则返回P,否则返回FAIL fi}
where the key length used by AES in CTR and S2V is len(K)/2 and will each be either 128 bits, 192 bits, or 256 bits.
其中,AES在CTR和S2V中使用的密钥长度为len(K)/2,并且每个密钥长度将为128位、192位或256位。
The 31st and 63rd bit (where the rightmost bit is the 0th) of the counter are zeroed out just prior to being used in CTR mode for optimization purposes, see Section 5.
计数器的第31位和第63位(其中最右边的位是第0位)在用于CTR模式进行优化之前被调零,见第5节。
SIV performs nonce-based authenticated encryption when a component of the associated data is a nonce. For purposes of interoperability the final component -- i.e., the string immediately preceding the plaintext in the vector input to S2V -- is used for the nonce. Other associated data are optional. It is up to the specific application of SIV to specify how the rest of the associated data are input.
当关联数据的组件是nonce时,SIV执行基于nonce的身份验证加密。出于互操作性的目的,最后一个组件——即S2V矢量输入中明文前的字符串——用于nonce。其他相关数据是可选的。由SIV的具体应用程序指定如何输入其余相关数据。
If the nonce is random, it SHOULD be at least 128 bits in length and be harvested from a pool having at least 128 bits of entropy. A non-random source MAY also be used, for instance, a time stamp, or a counter. The definition of a nonce precludes reuse, but SIV is resistant to nonce reuse. See Section 1.3.2 for a discussion on the security implications of nonce reuse.
如果nonce是随机的,则其长度应至少为128位,并从具有至少128位熵的池中获取。还可以使用非随机源,例如,时间戳或计数器。nonce的定义排除了重用,但SIV抵制nonce重用。请参阅第1.3.2节,了解关于暂时重用的安全影响的讨论。
It MAY be necessary to transport this nonce with the output generated by S2V.
可能有必要使用S2V生成的输出传输此nonce。
When the plaintext to encrypt and authenticate contains data that is unpredictable to an adversary -- for example, a secret key -- SIV can be used in a deterministic mode to perform "key wrapping". Because S2V allows for associated data and imposes no unnatural size restrictions on the data it is protecting, it is a more useful and general purpose solution than [RFC3394]. Protocols that use SIV for deterministic authenticated encryption (i.e., for more than just wrapping of keys) MAY define associated data inputs to SIV. It is not necessary to add a nonce component to the AD in this case.
当加密和认证的明文包含对手无法预测的数据时(例如,密钥),SIV可以在确定性模式下用于执行“密钥包装”。由于S2V允许关联数据,并且对其所保护的数据没有非自然的大小限制,因此它是比[RFC3394]更有用、更通用的解决方案。使用SIV进行确定性身份验证加密(即,不仅仅用于密钥包装)的协议可以定义SIV的相关数据输入。在这种情况下,无需向AD添加nonce组件。
Implementations that cannot or do not wish to support addition modulo 2^128 can take advantage of the fact that the 31st and 63rd bits (where the rightmost bit is the 0th bit) in the counter are cleared before being used by CTR. This allows implementations that natively support 32-bit or 64-bit addition to increment the counter naturally. Of course, in this case, the amount of plaintext that can be safely protected by SIV is reduced by a commensurate amount -- addition modulo 2^32 limits plaintext to (2^39 - 128) bits, addition modulo 2^64 limits plaintext to (2^71 - 128) bits.
不能或不希望支持模2^128加法的实现可以利用计数器中的第31位和第63位(其中最右边的位是第0位)在CTR使用之前被清除这一事实。这允许本机支持32位或64位加法的实现自然递增计数器。当然,在这种情况下,SIV可以安全保护的明文量会相应减少——加法模2^32将明文限制为(2^39-128)位,加法模2^64将明文限制为(2^71-128)位。
It is possible to optimize an implementation of S2V when it is being used as a key derivation function (KDF), for example in [WLAN]. This is because S2V operates on a vector of distinct strings and typically the data passed to a KDF contains constant strings. Depending on the location of variant components of the input different optimizations are possible. The CMACed output of intermediate and invariant components can be computed once and cached. This can then be doubled and xored with the running sum to produce the output. Or an intermediate value that represents the doubled and xored output of multiple components, up to the variant component, can be computed once and cached.
当S2V被用作密钥导出函数(KDF)时,例如在[WLAN]中,可以优化S2V的实现。这是因为S2V对不同字符串的向量进行操作,通常传递给KDF的数据包含常量字符串。根据输入变量组件的位置,可以进行不同的优化。中间和不变分量的CMACed输出可以计算一次并缓存。然后可以将该值加倍,并与运行总和进行异或运算,以生成输出。或者,可以计算一次并缓存一个中间值,该值表示多个组件(直到变量组件)的加倍和异或输出。
[RFC5116] defines a uniform interface to cipher modes that provide nonce-based Authenticated Encryption with Associated Data (AEAD). It does this via a registry of AEAD algorithms.
[RFC5116]定义了密码模式的统一接口,该模式提供基于nonce的认证加密和相关数据(AEAD)。它通过AEAD算法注册表来实现这一点。
The Internet Assigned Numbers Authority (IANA) assigned three entries from the AEAD Registry for AES-SIV-CMAC-256 (15), AES-SIV-CMAC-384 (16), and AES-SIV-CMAC-512 (17) based upon the following AEAD
互联网分配号码管理局(IANA)根据以下AEAD从AEAD注册表中为AES-SIV-CMAC-256(15)、AES-SIV-CMAC-384(16)和AES-SIV-CMAC-512(17)分配了三个条目
algorithm definitions. [RFC5116] defines operations in octets, not bits. Limits in this section will therefore be specified in octets. The security analysis for each of these algorithms is in [DAE].
算法定义。[RFC5116]以八位字节(而非位)定义操作。因此,本节中的限值将以八位字节为单位。[DAE]中介绍了每种算法的安全性分析。
Unfortunately, [RFC5116] restricts AD input to a single component and limits the benefit SIV offers for dealing in a natural fashion with AD consisting of multiple distinct components. Therefore, when it is required to access SIV through the interface defined in [RFC5116], it is necessary to marshal multiple AD inputs into a single string (see Section 1.1) prior to invoking SIV. Note that this requirement is not unique to SIV. All cipher modes using [RFC5116] MUST similarly marshal multiple AD inputs into a single string, and any technique used for any other AEAD mode (e.g., a scatter/gather technique) can be used with SIV.
不幸的是,[RFC5116]将AD输入限制为单个组件,并限制了SIV以自然方式处理由多个不同组件组成的AD的优势。因此,当需要通过[RFC5116]中定义的接口访问SIV时,有必要在调用SIV之前将多个AD输入封送到单个字符串中(见第1.1节)。请注意,这一要求并非SIV独有。使用[RFC5116]的所有密码模式必须类似地将多个AD输入封送到单个字符串中,用于任何其他AEAD模式的任何技术(例如散射/聚集技术)都可以与SIV一起使用。
[RFC5116] requires AEAD algorithm specifications to include maximal limits to the amount of plaintext, the amount of associated data, and the size of a nonce that the AEAD algorithm can accept.
[RFC5116]要求AEAD算法规范包括AEAD算法可以接受的明文量、关联数据量和nonce大小的最大限制。
SIV uses AES in counter mode and the security guarantees of SIV would be lost if the counter was allowed to repeat. Since the counter is 128 bits, a limit to the amount of plaintext that can be safely protected by a single invocation of SIV is 2^128 blocks.
SIV在计数器模式下使用AES,如果允许计数器重复,SIV的安全保证将丢失。由于计数器为128位,因此单次调用SIV可安全保护的明文数量限制为2^128个块。
To prevent the possibility of collisions, [CMAC] recommends that no more than 2^48 invocations be made to CMAC with the same key. This is not a limit on the amount of data that can be passed to CMAC, though. There is no practical limit to the amount of data that can be made to a single invocation of CMAC, and likewise, there is no practical limit to the amount of associated data or nonce material that can be passed to SIV.
为了防止冲突的可能性,[CMAC]建议使用同一密钥对CMAC进行的调用不超过2^48次。不过,这并不是对可以传递给CMAC的数据量的限制。对CMAC的一次调用可以产生的数据量没有实际限制,同样,对可以传递给SIV的相关数据或非关键材料的数量也没有实际限制。
A collision in the output of S2V would mean the same counter would be used with different plaintext in counter mode. This would void the security guarantees of SIV. The "Birthday Paradox" (see [APPCRY]) would imply that no more than 2^64 distinct invocations to SIV be made with the same key. It is prudent to follow the example of [CMAC] though, and further limit the number of distinct invocations of SIV using the same key to 2^48. Note that [RFC5116] does not provide a variable to describe this limit.
S2V输出中的冲突意味着相同的计数器将在计数器模式下与不同的明文一起使用。这将使SIV的安全保障失效。“生日悖论”(见[APPCRY])意味着使用同一个键对SIV进行的不同调用不超过2^64次。不过,谨慎的做法是以[CMAC]为例,进一步将使用同一密钥的SIV的不同调用次数限制为2^48。请注意,[RFC5116]未提供描述此限制的变量。
The counter-space for SIV is 2^128. Each invocation of SIV consumes a portion of that counter-space and the amount consumed depends on the amount of plaintext being passed to that single invocation. Multiple invocations of SIV with the same key can increase the possibility of distinct invocations overlapping the counter-space. The total amount of plaintext that can be safely protected with a
SIV的计数器空间为2^128。SIV的每次调用都会占用该计数器空间的一部分,而占用的数量取决于传递给单个调用的明文数量。使用同一密钥多次调用SIV会增加不同调用重叠计数器空间的可能性。可以使用
single key is, therefore, a function of the number of distinct invocations and the amount of plaintext protected with each invocation.
因此,单键是不同调用次数和每次调用所保护的明文量的函数。
The AES-SIV-CMAC-256 AEAD algorithm works as specified in Sections 2.6 and 2.7. The input and output lengths for AES-SIV-CMAC-256 as defined by [RFC5116] are:
AES-SIV-CMAC-256 AEAD算法按照第2.6节和第2.7节的规定工作。[RFC5116]定义的AES-SIV-CMAC-256的输入和输出长度为:
K_LEN is 32 octets.
库伦是32个八位组。
P_MAX is 2^132 octets.
P_MAX为2^132个八位字节。
A_MAX is unlimited.
最大值是无限的。
N_MIN is 1 octet.
N_MIN是1个八位组。
N_MAX is unlimited.
N_MAX是无限的。
C_MAX is 2^132 + 16 octets.
C_MAX为2^132+16个八位字节。
The security implications of nonce reuse and/or misuse are described in Section 1.3.2.
第1.3.2节描述了暂时重用和/或误用的安全影响。
The AES-SIV-CMAC-384 AEAD algorithm works as specified in Sections 2.6 and 2.7. The input and output lengths for AES-SIV-CMAC-384 as defined by [RFC5116] are:
AES-SIV-CMAC-384 AEAD算法按照第2.6节和第2.7节的规定工作。[RFC5116]定义的AES-SIV-CMAC-384的输入和输出长度为:
K_LEN is 48 octets.
库伦是48个八位组。
P_MAX is 2^132 octets.
P_MAX为2^132个八位字节。
A_MAX is unlimited.
最大值是无限的。
N_MIN is 1 octet.
N_MIN是1个八位组。
N_MAX is unlimited.
N_MAX是无限的。
C_MAX is 2^132 + 16 octets.
C_MAX为2^132+16个八位字节。
The security implications of nonce reuse and/or misuse are described in Section 1.3.2.
第1.3.2节描述了暂时重用和/或误用的安全影响。
The AES-SIV-CMAC-512 AEAD algorithm works as specified in Sections 2.6 and 2.7. The input and output lengths for AES-SIV-CMAC-512 as defined by [RFC5116] are:
AES-SIV-CMAC-512 AEAD算法按照第2.6节和第2.7节的规定工作。[RFC5116]定义的AES-SIV-CMAC-512的输入和输出长度为:
K_LEN is 64 octets.
库伦是64个八位组。
P_MAX is 2^132 octets.
P_MAX为2^132个八位字节。
A_MAX is unlimited.
最大值是无限的。
N_MIN is 1 octet.
N_MIN是1个八位组。
N_MAX is unlimited.
N_MAX是无限的。
C_MAX is 2^132 + 16 octets.
C_MAX为2^132+16个八位字节。
The security implications of nonce reuse and/or misuse are described in Section 1.3.2.
第1.3.2节描述了暂时重用和/或误用的安全影响。
SIV provides confidentiality in the sense that the output of SIV-Encrypt is indistinguishable from a random string of bits. It provides authenticity in the sense that an attacker is unable to construct a string of bits that will return other than FAIL when input to SIV-Decrypt. A proof of the security of SIV with an "all-in-one" notion of security for an authenticated encryption scheme is provided in [DAE].
SIV提供了保密性,因为SIV加密的输出与随机比特串无法区分。它提供了真实性,即攻击者无法构造将在SIV解密输入时返回而不是失败的位字符串。[DAE]中提供了SIV安全性的证明,该SIV具有认证加密方案的“一体式”安全概念。
SIV provides deterministic "key wrapping" when the plaintext contains data that is unpredictable to an adversary (for instance, a cryptographic key). Even when this key is made available to an attacker the output of SIV-Encrypt is indistinguishable from random bits. Similarly, even when this key is made available to an attacker, she is unable to construct a string of bits that when input to SIV-Decrypt will return anything other than FAIL.
当明文包含对手无法预测的数据(例如,加密密钥)时,SIV提供确定性“密钥包装”。即使攻击者可以使用此密钥,SIV Encrypt的输出也无法与随机位区分开来。类似地,即使攻击者可以使用该密钥,她也无法构造一个比特串,当输入到SIV Decrypt时,该比特串将返回除失败以外的任何结果。
When the nonce used in the nonce-based authenticated encryption mode of SIV-AES is treated with the care afforded a nonce or counter in other conventional nonce-based authenticated encryption schemes -- i.e., guarantee that it will never be used with the same key for two distinct invocations -- then SIV achieves the level of security described above. If, however, the nonce is reused SIV continues to provide the level of authenticity described above but with a slightly reduced amount of privacy (see Section 1.3.2).
当SIV-AES的基于nonce的认证加密模式中使用的nonce与其他传统基于nonce的认证加密方案中提供的nonce或计数器相同时,即。,保证在两次不同的调用中不会使用同一个密钥——这样SIV就达到了上述安全级别。但是,如果重新使用nonce,SIV将继续提供上述真实性级别,但隐私量略有减少(见第1.3.2节)。
If S2V is used as a key derivation function, the secret input MUST be generated uniformly at random. S2V is a pseudo-random function and is not suitable for use as a random oracle as defined in [RANDORCL].
如果将S2V用作密钥派生函数,则必须随机统一生成秘密输入。S2V是一个伪随机函数,不适合用作[RANDORCL]中定义的随机预言。
The security bound set by the proof of security of S2V in [DAE] depends on the number of vector-based queries made by an adversary and the total number of all components in those queries. The security is only proven when the number of components in each query is limited to n-1, where n is the blocksize of the underlying pseudo-random function. The underlying pseudo-random function used here is based on AES whose blocksize is 128 bits. Therefore, S2V must not be passed more than 127 components. Since SIV includes the plaintext as a component to S2V, that limits the number of components of associated data that can be safely passed to SIV to 126.
[DAE]中S2V的安全性证明设置的安全界限取决于对手进行的基于向量的查询的数量以及这些查询中所有组件的总数。只有当每个查询中的组件数量限制为n-1时,才能证明安全性,其中n是底层伪随机函数的块大小。这里使用的底层伪随机函数基于块大小为128位的AES。因此,S2V通过的部件不得超过127个。由于SIV将明文作为S2V的一个组件包括在内,因此将可安全传递给SIV的相关数据的组件数量限制为126。
Thanks to Phil Rogaway for patiently answering numerous questions on SIV and S2V and for useful critiques of earlier versions of this paper. Thanks also to David McGrew for numerous helpful comments and suggestions for improving this paper. Thanks to Jouni Malinen for reviewing this paper and producing another independent implementation of SIV, thereby confirming the correctness of the test vectors.
感谢Phil Rogaway耐心地回答了许多关于SIV和S2V的问题,并对本文的早期版本进行了有益的评论。还要感谢David McGrew为改进本文提出的许多有益的意见和建议。感谢Jouni Malinen对本文的审阅,并制作了另一个独立的SIV实现,从而确认了测试向量的正确性。
[CMAC] Dworkin, M., "Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication", NIST Special Pulication 800-38B, May 2005.
[CMAC]Dworkin,M.“分组密码操作模式的建议:认证的CMAC模式”,NIST特殊脉冲800-38B,2005年5月。
[MODES] Dworkin, M., "Recommendation for Block Cipher Modes of Operation: Methods and Techniques", NIST Special Pulication 800-38A, 2001 edition.
[模式]德沃金,M.,“分组密码操作模式的建议:方法和技术”,NIST特殊脉冲800-38A,2001年版。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated Encryption", RFC 5116, January 2008.
[RFC5116]McGrew,D.“认证加密的接口和算法”,RFC 5116,2008年1月。
[APPCRY] Menezes, A., van Oorshot, P., and S. Vanstone, "Handbook of Applied Cryptography", CRC Press Series on Discrete Mathematics and Its Applications, 1996.
[APPCRY]Menezes,A.,van Oorshot,P.,和S.Vanstone,“应用密码学手册”,CRC离散数学及其应用出版社系列,1996年。
[BADESP] Bellovin, S., "Problem Areas for the IP Security Protocols", Proceedings from the 6th Usenix UNIX Security Symposium, July 22-25 1996.
[BADESP]Bellovin,S.,“IP安全协议的问题领域”,第六届Usenix UNIX安全研讨会论文集,1996年7月22-25日。
[RFC3610] Whiting, D., Housley, R., and N. Ferguson, "Counter with CBC-MAC (CCM)", RFC 3610, September 2003.
[RFC3610]Whiting,D.,Housley,R.,和N.Ferguson,“CBC-MAC(CCM)计数器”,RFC 36102003年9月。
[DAE] Rogaway, P. and T. Shrimpton, "Deterministic Authenticated Encryption, A Provable-Security Treatment of the Key-Wrap Problem", Advances in Cryptology -- EUROCRYPT '06 St. Petersburg, Russia, 2006.
[DAE]Rogaway,P.和T.Shrimpton,“确定性身份验证加密,密钥封装问题的可证明安全性处理”,密码学进展——欧洲密码,2006年,俄罗斯圣彼得堡。
[GCM] McGrew, D. and J. Viega, "The Galois/Counter Mode of Operation (GCM)".
[GCM]McGrew,D.和J.Viega,“伽罗瓦/计数器操作模式(GCM)”。
[JUTLA] Jutla, C., "Encryption Modes With Almost Free Message Integrity", Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptography.
[JUTLA]JUTLA,C.,“具有几乎免费信息完整性的加密模式”,密码技术理论与应用国际会议论文集:密码学进展。
[OCB] Krovetz, T. and P. Rogaway, "The OCB Authenticated Encryption Algorithm", Work in Progress, March 2005.
[OCB]Krovetz,T.和P.Rogaway,“OCB认证加密算法”,正在进行的工作,2005年3月。
[RADKEY] Zorn, G., Zhang, T., Walker, J., and J. Salowey, "RADIUS Attributes for the Delivery of Keying Material", Work in Progress, April 2007.
[RADKEY]Zorn,G.,Zhang,T.,Walker,J.,和J.Salowey,“键控材料交付的半径属性”,在建工程,2007年4月。
[RANDORCL] Bellare, M. and P. Rogaway, "Random Oracles are Practical: A Paradigm for Designing Efficient Protocols", Proceeding of the First ACM Conference on Computer and Communications Security, November 1993.
[RANDORCL]Bellare,M.和P.Rogaway,“随机预言是实用的:设计有效协议的范例”,第一届ACM计算机和通信安全会议论文集,1993年11月。
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, February 1997.
[RFC2104]Krawczyk,H.,Bellare,M.,和R.Canetti,“HMAC:用于消息认证的键控哈希”,RFC 2104,1997年2月。
[RFC2548] Zorn, G., "Microsoft Vendor-specific RADIUS Attributes", RFC 2548, March 1999.
[RFC2548]Zorn,G.,“微软特定于供应商的半径属性”,RFC 2548,1999年3月。
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000.
[RFC2865]Rigney,C.,Willens,S.,Rubens,A.,和W.Simpson,“远程认证拨入用户服务(RADIUS)”,RFC 28652000年6月。
[RFC3217] Housley, R., "Triple-DES and RC2 Key Wrapping", RFC 3217, December 2001.
[RFC3217]Housley,R.,“三重DES和RC2密钥封装”,RFC 3217,2001年12月。
[RFC3394] Schaad, J. and R. Housley, "Advanced Encryption Standard (AES) Key Wrap Algorithm", RFC 3394, September 2002.
[RFC3394]Schaad,J.和R.Housley,“高级加密标准(AES)密钥包裹算法”,RFC 3394,2002年9月。
[SP800-38D] Dworkin, M., "Recommendations for Block Cipher Modes of Operation: Galois Counter Mode (GCM) and GMAC", NIST Special Pulication 800-38D, June 2007.
[SP800-38D]德沃金,M.“分组密码操作模式的建议:伽罗瓦计数器模式(GCM)和GMAC”,NIST特殊脉冲800-38D,2007年6月。
[VIRT] Garfinkel, T. and M. Rosenblum, "When Virtual is Harder than Real: Security Challenges in Virtual Machine Based Computing Environments" In 10th Workshop on Hot Topics in Operating Systems, May 2005.
[VIRT]Garfinkel,T.和M.Rosenblum,“当虚拟比真实更难时:基于虚拟机的计算环境中的安全挑战”,在操作系统热点问题第十次研讨会上,2005年5月。
[WLAN] "Draft Standard for IEEE802.11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specification", 2007.
[WLAN]“IEEE802.11标准草案:无线局域网介质访问控制(MAC)和物理层(PHY)规范”,2007年。
[X9F1] Dworkin, M., "Wrapping of Keys and Associated Data", Request for review of key wrap algorithms. Cryptology ePrint report 2004/340, 2004. Contents are excerpts from a draft standard of the Accredited Standards Committee, X9, entitled ANS X9.102.
[X9F1]德沃金,M.,“密钥和相关数据的包装”,请求审查密钥包装算法。密码学ePrint报告2004/3402004。内容摘自认证标准委员会标准草案X9,标题为ANS X9.102。
The following test vectors are for the mode defined in Section 6.1.
以下测试向量适用于第6.1节中定义的模式。
Input: ----- Key: fffefdfc fbfaf9f8 f7f6f5f4 f3f2f1f0 f0f1f2f3 f4f5f6f7 f8f9fafb fcfdfeff
Input: ----- Key: fffefdfc fbfaf9f8 f7f6f5f4 f3f2f1f0 f0f1f2f3 f4f5f6f7 f8f9fafb fcfdfeff
AD: 10111213 14151617 18191a1b 1c1d1e1f 20212223 24252627
广告:10111213 14151617 18191a1b 1C1D1F1F 20212223 24252627
Plaintext: 11223344 55667788 99aabbcc ddee
纯文本:11223344 55667788 99aabbcc ddee
S2V-CMAC-AES ------------ CMAC(zero): 0e04dfaf c1efbf04 01405828 59bf073a
S2V-CMAC-AES ------------ CMAC(zero): 0e04dfaf c1efbf04 01405828 59bf073a
double(): 1c09bf5f 83df7e08 0280b050 b37e0e74
double():1c09bf5f 83df7e08 0280b050 b37e0e74
CMAC(ad): f1f922b7 f5193ce6 4ff80cb4 7d93f23b
CMAC(ad):f1f922b7 f5193ce6 4ff80cb4 7d93f23b
xor: edf09de8 76c642ee 4d78bce4 ceedfc4f
异或:edf09de8 76c642ee 4d78bce4 ceedfc4f
double(): dbe13bd0 ed8c85dc 9af179c9 9ddbf819
double():dbe13bd0 ed8c85dc 9af179c9 9ddbf819
pad: 11223344 55667788 99aabbcc ddee8000
pad:11223344 55667788 99aabbcc ddee8000
xor: cac30894 b8eaf254 035bc205 40357819
异或:cac30894 b8eaf254 035bc205 40357819
CMAC(final): 85632d07 c6e8f37f 950acd32 0a2ecc93
CMAC(最终):85632d07 c6e8f37f 950acd32 0a2ecc93
CTR-AES ------- CTR: 85632d07 c6e8f37f 150acd32 0a2ecc93
CTR-AES ------- CTR: 85632d07 c6e8f37f 150acd32 0a2ecc93
E(K,CTR): 51e218d2 c5a2ab8c 4345c4a6 23b2f08f
E(K,CTR):51e218d2 c5a2ab8c 4345c4a6 23b2f08f
ciphertext: 40c02b96 90c4dc04 daef7f6a fe5c
密文:40c02b96 90c4dc04 daef7f6a fe5c
output ------ IV || C: 85632d07 c6e8f37f 950acd32 0a2ecc93 40c02b96 90c4dc04 daef7f6a fe5c
output ------ IV || C: 85632d07 c6e8f37f 950acd32 0a2ecc93 40c02b96 90c4dc04 daef7f6a fe5c
Input: ----- Key: 7f7e7d7c 7b7a7978 77767574 73727170 40414243 44454647 48494a4b 4c4d4e4f
Input: ----- Key: 7f7e7d7c 7b7a7978 77767574 73727170 40414243 44454647 48494a4b 4c4d4e4f
AD1: 00112233 44556677 8899aabb ccddeeff deaddada deaddada ffeeddcc bbaa9988 77665544 33221100
AD1:00112233 44556677 8899aabb ccddeeff deaddada ffeeddcc bbaa9988 77665544 33221100
AD2: 10203040 50607080 90a0
AD2:10203040 50607080 90a0
Nonce: 09f91102 9d74e35b d84156c5 635688c0
暂时代码:09f91102 9d74e35b d84156c5 635688c0
Plaintext: 74686973 20697320 736f6d65 20706c61 696e7465 78742074 6f20656e 63727970 74207573 696e6720 5349562d 414553
明文:74686973 20697320 736f6d65 20706c61 696e7465 78742074 6f20656e 63727970 74207573 696e6720 5349562d 414553
S2V-CMAC-AES ------------ CMAC(zero): c8b43b59 74960e7c e6a5dd85 231e591a
S2V-CMAC-AES ------------ CMAC(zero): c8b43b59 74960e7c e6a5dd85 231e591a
double(): 916876b2 e92c1cf9 cd4bbb0a 463cb2b3
double():916876b2 e92c1cf9 CD4B0A 463cb2b3
CMAC(ad1) 3c9b689a b41102e4 80954714 1dd0d15a
CMAC(ad1)3c9b689a b41102e4 80954714 1dd0d15a
xor: adf31e28 5d3d1e1d 4ddefc1e 5bec63e9
异或:adf31e28 5d3d1e1d 4ddefc1e 5bec63e9
double(): 5be63c50 ba7a3c3a 9bbdf83c b7d8c755
double():5be63c50 ba7a3c3a 9bbdf83c b7d8c755
CMAC(ad2) d98c9b0b e42cb2d7 aa98478e d11eda1b
CMAC(ad2)d98c9b0b e42cb2d7 aa98478e d11eda1b
xor: 826aa75b 5e568eed 3125bfb2 66c61d4e
异或:826aa75b 5e568eed 3125bfb2 66c61d4e
double(): 04d54eb6 bcad1dda 624b7f64 cd8c3a1b
double():04d54eb6 bcad1dda 624b7f64 cd8c3a1b
CMAC(nonce) 128c62a1 ce3747a8 372c1c05 a538b96d
CMAC(暂时)128c62a1 ce3747a8 372c1c05 a538b96d
xor: 16592c17 729a5a72 55676361 68b48376
异或:16592c17 729a5a72 55676361 68b48376
xorend: 74686973 20697320 736f6d65 20706c61 696e7465 78742074 6f20656e 63727966 2d0c6201 f3341575 342a3745 f5c625
xorend:74686973 20697320 736f6d65 20706c61 696e7465 78742074 6f20656e 63727966 2d0c6201 f3341575 342a3745 f5c625
CMAC(final) 7bdb6e3b 432667eb 06f4d14b ff2fbd0f
CMAC(最终版)7bdb6e3b 432667eb 06f4d14b ff2fbd0f
CTR-AES ------- CTR: 7bdb6e3b 432667eb 06f4d14b 7f2fbd0f
CTR-AES ------- CTR: 7bdb6e3b 432667eb 06f4d14b 7f2fbd0f
E(K,CTR): bff8665c fdd73363 550f7400 e8f9d376
E(K,中心):bff8665c fdd73363 550f7400 e8f9d376
CTR+1: 7bdb6e3b 432667eb 06f4d14b 7f2fbd10
CTR+1:7bdb6e3b 432667eb 06f4d14b 7f2fbd10
E(K,CTR+1): b2c9088e 713b8617 d8839226 d9f88159
E(K,CTR+1):b2c9088e 713b8617 d8839226 d9f88159
CTR+2 7bdb6e3b 432667eb 06f4d14b 7f2fbd11
CTR+2 7bdb6e3b 432667eb 06f4d14b 7f2fbd11
E(K,CTR+2): 9e44d827 234949bc 1b12348e bc195ec7
E(K,CTR+2):9e44d827 234949bc 1b12348e bc195ec7
ciphertext: cb900f2f ddbe4043 26601965 c889bf17 dba77ceb 094fa663 b7a3f748 ba8af829 ea64ad54 4a272e9c 485b62a3 fd5c0d
密文:cb900f2f ddbe4043 26601965 c889bf17 dba77ceb 094fa663 b7a3f748 ba8af829 ea64ad54 4a272e9c 485b62a3 fd5c0d
output ------ IV || C: 7bdb6e3b 432667eb 06f4d14b ff2fbd0f cb900f2f ddbe4043 26601965 c889bf17 dba77ceb 094fa663 b7a3f748 ba8af829 ea64ad54 4a272e9c 485b62a3 fd5c0d
output ------ IV || C: 7bdb6e3b 432667eb 06f4d14b ff2fbd0f cb900f2f ddbe4043 26601965 c889bf17 dba77ceb 094fa663 b7a3f748 ba8af829 ea64ad54 4a272e9c 485b62a3 fd5c0d
Author's Address
作者地址
Dan Harkins Aruba Networks
阿鲁巴网络公司
EMail: dharkins@arubanetworks.com
EMail: dharkins@arubanetworks.com
Full Copyright Statement
完整版权声明
Copyright (C) The IETF Trust (2008).
版权所有(C)IETF信托基金(2008年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息以“原样”为基础提供,贡献者、他/她所代表或赞助的组织(如有)、互联网协会、IETF信托基金和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.