view Side-By-Side changes

Network Working Group                                            A. Kato
Internet-Draft                                  NTT Software Corporation
Obsoletes: 4312 (if approved)                                   M. Kanda
Intended status: Standards Track                                M. Kanda
Expires: December 27, 2007          Nippon Telegraph and Telephone
Expires: May 19, 2008                                        Corporation
                                                           June 25,
                                                       November 16, 2007


 The Additional Modes of Operation for Camellia and Its Use With IPsec
                   draft-kato-ipsec-camellia-modes-03
                   draft-kato-ipsec-camellia-modes-04

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on December 27, 2007. May 19, 2008.

Copyright Notice

   Copyright (C) The IETF Trust (2007).












Kato & Kanda              Expires December 27, 2007 May 19, 2008                  [Page 1]

Internet-Draft  The Additional Modes of Camellia in IPsec      June  November 2007


Abstract

   This document describes the use of the Camellia block cipher
   algorithm in Cipher Block Chaining (CBC) mode, Counter (CTR) mode and
   Counter with CBC-MAC (CCM) Mode , mode, as an IPsec Encapsulating Security
   Payload (ESP) mechanism to provide confidentiality, data origin
   authentication, and connectionless integrity.


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.1.  Terminology  . . . . . . . . . . . . . . . . . . . . . . .  4
   2.  The Camellia Cipher Algorithm  . . . . . . . . . . . . . . . .  5
     2.1.  Key Size . . . . . . . . . . . . . . . . . . . . . . . . .  5
     2.2.  Weak Keys  . . . . . . . . . . . . . . . . . . . . . . . .  5
     2.3.  Block Size and Padding . . . . . . . . . . . . . . . . . .  5
     2.4.  Performance  . . . . . . . . . . . . . . . . . . . . . . .  5
   3.  Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  7
     3.1.  Counter  CBC  . . . . . . . . . . . . . . . . . . . . . . . . . . .  7
     3.2.  Counter with CBC-MAC  . . . . . . . . . . . . . . . . . . .  9
   4.  ESP Payload . . . . . .  7
     3.3.  Counter with CBC-MAC . . . . . . . . . . . . . . . . . . . 11
     4.1.  Counter  8
   4.  ESP Payload  . . . . . . . . . . . . . . . . . . . . . . . . . 11
       4.1.1.  Counter Block Format
     4.1.  CBC  . . . . . . . . . . . . . . . . . . . 12
       4.1.2.  Keying Material . . . . . . . . 11
       4.1.1.  ESP Algorithmic Interactions . . . . . . . . . . . 13 . . 11
     4.2.  Counter with CBC-MAC  . . . . . . . . . . . . . . . . . . . 13 . . . . . . 11
       4.2.1.  Initialization Vector (IV)  Counter Block Format . . . . . . . . . . . . . . 13 . . . 12
       4.2.2.  Encrypted Payload  Keying Material  . . . . . . . . . . . . . . . . . . 14
       4.2.3.  Authentication Data . 13
     4.3.  Counter with CBC-MAC . . . . . . . . . . . . . . . . 14
       4.2.4.  Nonce Format . . . 14
       4.3.1.  Initialization Vector (IV) . . . . . . . . . . . . . . 14
       4.3.2.  Encrypted Payload  . . . . 14
       4.2.5.  AAD Construction . . . . . . . . . . . . . . 14
       4.3.3.  Authentication Data  . . . . . 15
   5.  IKE Conventions . . . . . . . . . . . . 15
       4.3.4.  Nonce Format . . . . . . . . . . . 17
     5.1.  Phase 1 Identifier . . . . . . . . . . 15
       4.3.5.  AAD Construction . . . . . . . . . . 17
     5.2.  Phase 2 Identifier . . . . . . . . . 16
   5.  IKE Conventions  . . . . . . . . . . . 17
     5.3.  Key Length Attribute . . . . . . . . . . . . 17
     5.1.  Transform Type 1 . . . . . . . . . 17
   6.  Test Vectors . . . . . . . . . . . . 17
     5.2.  Key Length Attribute . . . . . . . . . . . . . 18
     6.1.  Camellia-CTR . . . . . . 17
     5.3.  Keying Material  . . . . . . . . . . . . . . . . . 18
     6.2.  Camellia-CCM . . . . 17
   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 20 19
   7.  Security  IANA Considerations  . . . . . . . . . . . . . . . . . . . 33 . . 21
   8.  IANA Considerations  Acknowledgements . . . . . . . . . . . . . . . . . . . . . 35 . . 22
   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 36 23
     9.1.  Normative  . . . . . . . . . . . . . . . . . . . . . . . . 36 23
     9.2.  Informative  . . . . . . . . . . . . . . . . . . . . . . . 36 23
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 39 26
   Intellectual Property and Copyright Statements . . . . . . . . . . 40 27





Kato & Kanda              Expires December 27, 2007 May 19, 2008                  [Page 2]

Internet-Draft  The Additional Modes of Camellia in IPsec      June  November 2007


1.  Introduction

   This document describes the use of the Camellia block cipher
   algorithm in Cipher Block Chaining mode (CBC), Counter (CTR) mode and
   Counter with CBC-MAC (CCM) Mode mode , as an IPsec Encapsulating Security
   Payload (ESP) mechanism to provide confidentiality, data origin
   authentication, and connectionless integrity.

   Camellia is a symmetric cipher with a Feistel structure.  Camellia
   was developed jointly by NTT and Mitsubishi Electric Corporation in
   2000.  It was designed to withstand all known cryptanalytic attacks,
   and it has been scrutinized by worldwide cryptographic experts.
   Camellia is suitable for implementation in software and hardware,
   offering encryption speed in software and hardware implementations
   that is comparable to Advanced Encryption Standard (AES) [18]. [7].

   Camellia supports 128-bit block size and 128-, 192-, and 256-bit key
   lengths, i.e., the same interface specifications as the AES.
   Therefore, it is easy to implement Camellia based algorithms by
   replacing AES block of AES based algorithms to Camellia block.

   Camellia is adopted as IETF and several international standardization
   organizations.  Camellia is already adopted as IPSec [17], TLS [15],
   S/MIME [12] and XML [14].  Camellia is adopted for the one of three ISO/IEC international
   standard cipher [21] [8] as 128bit block cipher(Camellia AES and SEED).
   Camellia was selected as a recommended cryptographic primitive by the
   EU NESSIE (New European Schemes for Signatures, Integrity and
   Encryption) project [19] [9] and was included in the list of cryptographic
   techniques for Japanese e-Government systems that was selected by the
   Japan CRYPTREC (Cryptography Research and Evaluation Committees) [20].
   [10].

   Since optimized source code is provided by several open source
   lisences [23], [15], Camellia is also adopted by several open source
   projects.  Camellia is already adopted by Openssl.  Additional API
   for Network Security Services (NSS) and IPsec stack of
   projects(Openssl, FreeBSD, Linux and Free
   BSD are prepared or working progress for release. Gran Paradiso).

   The algorithm specification and object identifiers are described in
   [5].
   [1].  The Camellia homepage [24] [16] contains a wealth of information
   about Camellia, including detailed specification, security analysis,
   performance figures, reference implementation, optimized
   implementetion,
   implementation, test vectors, and intellectual property information.

   The remainder of this document specifies the additional modes of
   operation Camellia within the context of IPsec ESP.  For further
   information on how the various pieces of ESP fit together to provide
   security services, please refer to [6] [7], [11] [2], and [3]. [12].







Kato & Kanda              Expires December 27, 2007 May 19, 2008                  [Page 3]

Internet-Draft  The Additional Modes of Camellia in IPsec      June  November 2007


1.1.  Terminology

   The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" that
   appear in this document are to be interpreted as described in [1]. [3].














































Kato & Kanda              Expires December 27, 2007 May 19, 2008                  [Page 4]

Internet-Draft  The Additional Modes of Camellia in IPsec      June  November 2007


2.  The Camellia Cipher Algorithm

   All symmetric block cipher algorithms share common characteristics
   and variables, including mode, key size, weak keys, block size, and
   rounds.  The following sections contain descriptions of the relevant
   characteristics of Camellia.

   The algorithm specification and object identifiers are described in
   [5].
   [1].

2.1.  Key Size

   Camellia supports three key sizes: 128 bits, 192 bits, and 256 bits.
   The default key size is 128 bits, and all implementations MUST
   support this key size.  Implementations MAY also support key sizes of
   192 bits and 256 bits.

   Camellia uses a different number of rounds for each of the defined
   key sizes.  When a 128-bit key is used, implementations MUST use 18
   rounds.  When a 192-bit key is used, implementations MUST use 24
   rounds.  When a 256-bit key is used, implementations MUST use 24
   rounds.

2.2.  Weak Keys

   At the time of writing this document there are no known weak keys for
   Camellia.

2.3.  Block Size and Padding

   Camellia uses a block size of sixteen octets (128 bits).

   Padding is required by the algorithms to maintain a 16-octet (128-
   bit) block size.  Padding MUST be added, as specified in [7], [2], such
   that the data to be encrypted (which includes the ESP Pad Length and
   Next Header fields) has a length that is a multiple of 16 octets.

   Because of the algorithm specific padding requirement, no additional
   padding is required to ensure that the ciphertext terminates on a
   4-octet boundary (i.e. maintaining a 16-octet block size guarantees
   that the ESP Pad Length and Next Header fields will be right aligned
   within a 4-octet word).  Additional padding MAY be included, as
   specified in [7], [2], as long as the 16-octet block size is maintained.

2.4.  Performance

   Performance figures of Camellia are available at
   <http://info.isl.ntt.co.jp/crypt/camellia/>.  NESSIE project has



Kato & Kanda              Expires December 27, 2007 May 19, 2008                  [Page 5]

Internet-Draft  The Additional Modes of Camellia in IPsec      June  November 2007


   reported performance of Optimized Implementations independently [19]. [9].


















































Kato & Kanda              Expires December 27, 2007 May 19, 2008                  [Page 6]

Internet-Draft  The Additional Modes of Camellia in IPsec      June  November 2007


3.  Mode

   Camellia Counter mode (Camellia-CTR) and Camellia Counter with CBC-
   MAC (Camellia-CCM) are discussed in this specification.

3.1.  CBC

   NIST has defined seven modes of operation for AES and other FIPS-
   approved ciphers : CBC (Cipher Block Chaining), ECB (Electronic
   CodeBook), CFB (Cipher FeedBack), OFB (Output FeedBack), CTR
   (Counter), CMAC (Cipher-based MAC) and CCM (CBC MAC).  The CBC mode
   is well defined and well understood for symmetric ciphers, and it is
   currently required for all other ESP ciphers.  This document
   specifies the use of the Camellia cipher in CBC mode within ESP.
   This mode requires an Initialization Vector (IV) size that is the
   same as the block size.  Use of a generic authenticate-and-encrypt randomly generated IV prevents
   generation of identical cipher text from packets that have identical
   data spanning the first block of the cipher mode [4].  In
   this specification, CCM algorithm's block size.

   The CBC IV is used XOR'd with the Camellia [5] first plaintext block cipher.

3.1. before it is
   encrypted.  Then, for successive blocks, the previous cipher text
   block is XOR'd with the current plain text before it is encrypted.
   More information on CBC mode can be obtained in [4].

3.2.  Counter

   Camellia-CTR [5] requires the encryptor to generate a unique per-packet per-
   packet value, and communicate this value to the decryptor.  This
   specification calls this per-packet value an initialization vector
   (IV).  The same IV and key combination MUST NOT be used more than
   once.  The encryptor can generate the IV in any manner that ensures
   uniqueness.  Common approaches to IV generation include incrementing
   a counter for each packet and linear feedback shift registers
   (LFSRs).

   This specification calls for the use of a nonce for additional
   protection against precomputation attacks.  The nonce value need not
   be secret.  However, the nonce MUST be unpredictable prior to the
   establishment of the IPsec security association Security Association (SA) that is making
   use of Camellia-CTR.

   Camellia-CTR has many properties that make it an attractive
   encryption algorithm for in high-speed networking.  Camellia-CTR uses
   the Camellia block cipher to create a stream cipher.  Data is
   encrypted and decrypted by XORing with the key stream produced by
   Camellia encrypting sequential counter block values.  Camellia-CTR is
   easy to implement, and Camellia-CTR can be pipelined and
   parallelized.  Camellia-CTR also supports key stream precomputation.

   Pipelining is possible because Camellia has multiple rounds (see
   Section 2.).  A hardware implementation (and some software



Kato & Kanda              Expires May 19, 2008                  [Page 7]

Internet-Draft  The Additional Modes of Camellia in IPsec  November 2007


   implementations) can create a pipeline by unwinding the loop implied
   by this round structure.  For example, after a 16-octet block has
   been input, one round later another 16-octet block can be input, and
   so on.  In Camellia-CTR, these inputs are the sequential counter
   block values used to generate the key stream.

   Multiple independent Camellia encrypt implementations can also be
   used to improve performance.  For example, one could use two Camellia
   encrypt implementations in parallel, to process a sequence of counter
   block values, doubling the effective throughput.

   The sender can precompute the key stream.  Since the key stream does
   not depend on any data in the packet, the key stream can be



Kato & Kanda            Expires December 27, 2007               [Page 7]

Internet-Draft  The Additional Modes of Camellia in IPsec      June 2007
   precomputed once the nonce and IV are assigned.  This precomputation
   can reduce packet latency.  The receiver cannot perform similar
   precomputation because the IV will not be known before the packet
   arrives.

   When used correctly, Camellia-CTR provides a high level of
   confidentiality.  Unfortunately, Camellia-CTR is easy to use
   incorrectly.  Being a stream cipher, any reuse of the per-packet
   value, called the IV, with the same nonce and key is catastrophic.
   An IV collision immediately leaks information about the plaintext in
   both packets.  For this reason, it is inappropriate to use this mode
   of operation with static keys.  Extraordinary measures would be
   needed to prevent reuse of an IV value with the static key across
   power cycles.  To be safe, implementations MUST use fresh keys with
   Camellia-CTR.  The Internet Key Exchange (IKE) [8] (IKEv2) [6] protocol can be
   used to establish fresh keys.  IKE can also provide the nonce value.

   With Camellia-CTR, it is trivial to use a valid ciphertext to forge
   other (valid to the decryptor) ciphertexts.  Thus, it is equally
   catastrophic to use Camellia-CTR without a companion authentication
   function.  Implementations MUST use Camellia-CTR in conjunction with
   an authentication function, such as Camellia-CMAC-96 [22].

   To encrypt a payload with Camellia-CTR, the encryptor partitions the
   plaintext, PT, into 128-bit blocks.  The final block need not be 128
   bits; it [13].

   More information and Test Vectors for Camellia-CTR can be less.

         PT = PT[1] PT[2] ... PT[n]

   Each PT block is XORed obtained in
   [5].

3.3.  Counter with CBC-MAC

   CCM is a generic authenticate-and-encrypt block of the key stream to generate cipher mode.  In this
   specification, CCM is used with the
   ciphertext, CT.  The Camellia encryption of each counter [5] block
   results in 128 bits of key stream. cipher.

   Camellia-CCM [5] has two parameters:






Kato & Kanda              Expires May 19, 2008                  [Page 8]

Internet-Draft  The most significant 96 bits of
   the counter block are set to the nonce value, which is 32 bits,
   followed by the per-packet IV value, which is 64 bits.  The least
   significant 32 bits of the counter block are initially set to one.
   This counter value is incremented by one to generate subsequent
   counter blocks, each resulting in another 128 bits of key stream.
   The encryption of n plaintext blocks can be summarized as:

         CTRBLK := NONCE || IV || ONE
         FOR i := 1 to n-1 DO
           CT[i] := PT[i] XOR Camellia(CTRBLK)
           CTRBLK := CTRBLK + 1
         END
         CT[n] := PT[n] XOR TRUNC(Camellia(CTRBLK))

   The Camellia() function performs Camellia encryption with the fresh
   key.



Kato & Kanda            Expires December 27, 2007               [Page 8]

Internet-Draft  The Additional Modes Additional Modes of Camellia in IPsec      June  November 2007


   The TRUNC() function truncates the output of the Camellia encrypt
   operation to the same length as the final plaintext block, returning
   the most significant bits.

   Decryption is similar.  The decryption of n ciphertext blocks can be
   summarized as:


         CTRBLK := NONCE || IV || ONE
         FOR i := 1 to n-1 DO
           PT[i] := CT[i] XOR Camellia(CTRBLK)
           CTRBLK := CTRBLK + 1
         END
         PT[n] := CT[n] XOR TRUNC(Camellia(CTRBLK))

3.2.  Counter with CBC-MAC

   CCM is a generic authenticate-and-encrypt block cipher mode [4].  In
   this specification, CCM is used with the Camellia [5] block cipher.

   Camellia-CCM has two parameters:


   M  M indicates the size of the integrity check value (ICV).  CCM
      defines values of 4, 6, 8, 10, 12, 14, and 16 octets; However, to
      maintain alignment and provide adequate security, only the values
      that are a multiple of four and are at least eight are permitted.
      Implementations MUST support M values of 8 octets and 16 octets,
      and implementations MAY support an M value of 12 octets.

   L  L indicates the size of the length field in octets.  CCM defines
      values of L between 2 octets and 8 octets.  This specification
      only supports L = 4.  Implementations MUST support an L value of 4
      octets, which accommodates a full Jumbogram [11]; [14]; however, the
      length includes all of the encrypted data, which also includes the
      ESP Padding, Pad Length, and Next Header fields.

   There are four inputs to CCM originator processing:

   key
      A single key is used to calculate the ICV using CBC-MAC and to
      perform payload encryption using counter mode.  Camellia supports
      key sizes of 128 bits, 192 bits, and 256 bits.  The default key
      size is 128 bits, and implementations MUST support this key size.
      Implementations MAY also support key sizes of 192 bits and 256
      bits.






Kato & Kanda            Expires December 27, 2007               [Page 9]

Internet-Draft  The Additional Modes of Camellia in IPsec      June 2007

   nonce
      The size of the nonce depends on the value selected for the
      parameter L. It is 15-L octets.  Implementations MUST support a
      nonce of 11 octets.  The construction of the nonce is described in
      Section 4.2.4. 4.3.4.

   payload
      The payload of the ESP packet.  The payload MUST NOT be longer
      than 4,294,967,295 octets, which is the maximum size of a
      Jumbogram [11]; [14]; however, the ESP Padding, Pad Length, and Next
      Header fields are also part of the payload.

   AAD
      CCM provides data integrity and data origin authentication for
      some data outside the payload.  CCM does not allow additional
      authenticated data (AAD) to be longer than
      18,446,744,073,709,551,615 octets.  The ICV is computed from the
      ESP header, Payload, and ESP trailer fields, which is
      significantly smaller than the CCM-imposed limit.  The
      construction of the AAD described in Section 4.2.5. 4.3.5.

   Camellia-CCM requires the encryptor to generate a unique per-packet
   value and to communicate this value to the decryptor.  This per-
   packet value is one of the component parts of the nonce, and it is



Kato & Kanda              Expires May 19, 2008                  [Page 9]

Internet-Draft  The Additional Modes of Camellia in IPsec  November 2007


   referred to as the initialization vector (IV).  The same IV and key
   combination MUST NOT be used more than once.  The encryptor can
   generate the IV in any manner that ensures uniqueness.  Common
   approaches to IV generation include incrementing a counter for each
   packet and linear feedback shift registers (LFSRs).

   Camellia-CCM employs counter mode for encryption.  As with any stream
   cipher, reuse of the same IV value with the same key is catastrophic.
   An IV collision immediately leaks information about the plaintext in
   both packets.  For this reason, it is inappropriate to use this CCM
   with statically configured keys.  Extraordinary measures would be
   needed to prevent reuse of an IV value with the static key across
   power cycles.  To be safe, implementations MUST use fresh keys with
   Camellia-CCM.  The Internet Key Exchange (IKE) [2] protocol or IKEv2
   [8] protocol [6] can be used to establish fresh
   keys.

   More information and Test Vectors for Camellia-CCM can be obtained in
   [5].

































Kato & Kanda              Expires December 27, 2007 May 19, 2008                 [Page 10]

Internet-Draft  The Additional Modes of Camellia in IPsec      June  November 2007


4.  ESP Payload

4.1.  CBC

   The ESP payload for Camellia-CBC is made up of the IV followed by raw
   cipher-text.
   Thus  Thus, the payload field, as defined in [7], [2], is broken
   down according to the following diagram:

4.1.  Counter

      +---------------+---------------+---------------+---------------+
      |                                                               |
      +               Initialization Vector (16 octets)               +
      |                                                               |
      +---------------+---------------+---------------+---------------+
      |                                                               |
      ~ Encrypted Payload (variable length, a multiple of 16 octets)  ~
      |                                                               |
      +---------------------------------------------------------------+

             Figure 1: ESP Payload Encrypted with Camellia-CBC

   The Camellia counter IV field MUST be the same size as the block size of the cipher block is 128 bits.
   algorithm being used.  The IV MUST be chosen at random, and MUST be
   unpredictable.

   Including the IV in each datagram ensures that each received datagram
   can be decrypted, even when some datagrams are dropped or re-ordered
   in transit.

   To avoid CBC encryption of very similar plaintext blocks in different
   packets, implementations MUST NOT use a counter or other low Hamming-
   distance source for IVs.

4.1.1.  ESP Algorithmic Interactions

   Currently, there are no known issues regarding interactions between
   the Camellia and other aspects of ESP, such as the use of certain
   authentication schemes.

4.2.  Counter

   The ESP payload for Camellia-CBC is made up of the IV followed by raw
   cipher-text. bits.  Figure 1 2 shows the format of the counter block.









Kato & Kanda              Expires May 19, 2008                 [Page 11]

Internet-Draft  The Additional Modes of Camellia in IPsec  November 2007


       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                     Initialization Vector                     |
      |                            (8 octets)                         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                                                               |
      ~                  Encrypted Payload (variable)                 ~
      |                                                               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                                                               |
      ~                 Authentication Data (variable)                ~
      |                                                               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

             Figure 1: 2: ESP Payload Encrypted with Camellia-CTR

   The components of the counter block are as follows:

   Initialization Vector
      The Camellia-CTR IV field MUST be eight octets.  The IV MUST be
      chosen by the encryptor in a manner that ensures that the same IV
      value is used only once for a given key.  The encryptor can
      generate the IV in any manner that ensures uniqueness.  Common
      approaches to IV generation include incrementing a counter for
      each packet and linear feedback shift registers (LFSRs).
      Including the IV in each packet ensures that the decryptor can
      generate the key stream needed for decryption, even when some
      packets are lost or reordered.

   Encrypted Payload
      The encrypted payload contains the ciphertext.  Camellia-CTR mode
      does not require plaintext padding.  However, ESP does require
      padding to 32-bit word-align the authentication data.  The
      padding, Pad Length, and the Next Header MUST be concatenated with
      the plaintext before performing encryption, as described in [7].




Kato & Kanda            Expires December 27, 2007              [Page 11]

Internet-Draft  The Additional Modes of Camellia in IPsec      June 2007 [2].

   Authentication Data
      Since it is trivial to construct a forgery Camellia-CTR ciphertext
      from a valid Camellia-CTR ciphertext, Camellia-CTR implementations
      MUST employ a non-NULL ESP authentication method.
      Camellia-CMAC-96 [22] [13] is a likely choice.

4.1.1.

4.2.1.  Counter Block Format

   The Camellia Camellia-CTR counter block cipher block is 128 bits.  Figure 2 3 shows the
   format of the counter block.




Kato & Kanda              Expires May 19, 2008                 [Page 12]

Internet-Draft  The Additional Modes of Camellia in IPsec  November 2007


       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                            Nonce                              |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                  Initialization Vector (IV)                   |
      |                                                               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                         Block Counter                         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                      Figure 2: 3: Counter Block Format

   The components of the counter block are as follows:

   Nonce
      The Nonce field is 32 bits.  As the name implies, the nonce is a
      single use value.  That is, a fresh nonce value MUST be assigned
      for each security association. SA.  It MUST be assigned at the beginning of the security association. SA.  The
      nonce value need not be secret, but it MUST be unpredictable prior
      to the beginning of the security association.

   Initializetion SA.

   Initialization Vector
      The IV field is 64 bits.  As described in section 3.1, the IV MUST
      be chosen by the encryptor in a manner that ensures that the same
      IV value is used only once for a given key.

   Block Counter
      The block counter field is the least significant 32 bits of the
      counter block.  The block counter begins with the value of one,
      and it is incremented to generate subsequent portions of the key
      stream.  The block counter is a 32-bit big-endian integer value.

   Using the encryption process described in Section 3.1, 3.2, this
   construction permits each packet to consist of up to:



Kato & Kanda            Expires December 27, 2007              [Page 12]

Internet-Draft  The Additional Modes of Camellia in IPsec      June 2007

         (2^32)-1 blocks  =  4,294,967,295 blocks
                          = 68,719,476,720 octets

   This construction can produce enough key stream for each packet
   sufficient to handle any IPv6 jumbogram [11].

4.1.2. [14].

4.2.2.  Keying Material

   The minimum number of bits sent from the key exchange protocol to the
   ESP algorithm must be greater than or equal to the key size.

   The cipher's encryption and decryption key is taken from the first



Kato & Kanda              Expires May 19, 2008                 [Page 13]

Internet-Draft  The Additional Modes of Camellia in IPsec  November 2007


   128, 192, or 256 bits of the keying material.

4.2.

4.3.  Counter with CBC-MAC

   The ESP payload is composed of the IV followed by the ciphertext.
   The payload field, as defined in [7], [2], is structured as shown in
   Figure 3. 4.

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                     Initialization Vector                     |
       |                            (8 octets)                         |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                                                               |
       ~                  Encrypted Payload (variable)                 ~
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                                                               |
       ~                 Authentication Data (variable)                ~
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

             Figure 3: 4: ESP Payload Encrypted with Camellia-CCM

4.2.1.

4.3.1.  Initialization Vector (IV)

   The Camellia-CCM IV field MUST be eight octets.  The IV MUST be
   chosen by the encryptor in a manner that ensures that the same IV
   value is used only once for a given key.  The encryptor can generate
   the IV in any manner that ensures uniqueness.  Common approaches to
   IV generation include incrementing a counter for each packet and
   linear feedback shift registers (LFSRs).

   Including the IV in each packet ensures that the decryptor can
   generate the key stream needed for decryption, even when some



Kato & Kanda            Expires December 27, 2007              [Page 13]

Internet-Draft  The Additional Modes of Camellia in IPsec      June 2007
   datagrams are lost or reordered.

4.2.2.

4.3.2.  Encrypted Payload

   The encrypted payload contains the ciphertext.

   Camellia-CCM mode does not require plaintext padding.  However, ESP
   does require padding to 32-bit word-align the authentication data.
   The Padding, Pad Length, and Next Header fields MUST be concatenated
   with the plaintext before performing encryption, as described in [7]. [2].
   When padding is required, it MUST be generated and checked in
   accordance with the conventions specified in [7].

4.2.3. [2].



Kato & Kanda              Expires May 19, 2008                 [Page 14]

Internet-Draft  The Additional Modes of Camellia in IPsec  November 2007


4.3.3.  Authentication Data

   Camellia-CCM provides an encrypted ICV.  The ICV provided by CCM is
   carried in the Authentication Data fields without further encryption.
   Implementations MUST support ICV sizes of 8 octets and 16 octets.
   Implementations MAY also support ICV 12 octets.

4.2.4.

4.3.4.  Nonce Format

   Each packet conveys the IV that is necessary to construct the
   sequence of counter blocks used by counter mode to generate the key
   stream.  The Camellia counter block is 16 octets.  One octet is used
   for the CCM Flags, and 4 octets are used for the block counter, as
   specified by the CCM L parameter.  The remaining octets are the
   nonce.  These octets occupy the second through the twelfth octets in
   the counter block.  Figure 4 5 shows the format of the nonce.

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
                       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                       |                  Salt                         |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                     Initialization Vector                     |
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


                       Figure 4: 5: Nonce Format of CCM

   The components of the nonce are as follows:

   Salt
      The salt field is 24 bits.  As the name implies, it contains an
      unpredictable value.  It MUST be assigned at the beginning of the
      security association.
      SA.  The salt value need not be secret, but it



Kato & Kanda            Expires December 27, 2007              [Page 14]

Internet-Draft  The Additional Modes of Camellia in IPsec      June 2007 MUST NOT be
      predictable prior to the beginning of the security
      association. SA.

   Initialization Vector
      The IV field is 64 bits.  As described in Section 3.1, the IV MUST
      be chosen by the encryptor in a manner that ensures that the same
      IV value is used only once for a given key.

   This construction permits each packet to consist of up to:

            2^32 blocks  =  4,294,967,296 blocks
                         = 68,719,476,736 octets

   This construction provides more key stream for each packet than is
   needed to



Kato & Kanda              Expires May 19, 2008                 [Page 15]

Internet-Draft  The Additional Modes of Camellia in IPsec  November 2007


   needed to handle any IPv6 Jumbogram [11].

4.2.5. [14].

4.3.5.  AAD Construction

   The data integrity and data origin authentication for the Security
   Parameters Index (SPI) and (Extended) Sequence Number fields is
   provided without encrypting them.  Two formats are defined: one for
   32-bit sequence numbers and one for 64-bit extended sequence numbers.
   The format with 32-bit sequence numbers is shown in Figure 5, 6, and the
   format with 64-bit extended sequence numbers is shown in Figure 6. 7.

   Sequence Numbers are conveyed canonical network byte order.  Extended
   Sequence Numbers are conveyed canonical network byte order, placing
   the high-order 32 bits first and the low-order 32 bits second.
   Canonical network byte order is fully described in RFC 791, Appendix
   B.

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                               SPI                             |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                     32-bit Sequence Number                    |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

             Figure 5: 6:  AAD Format with 32-bit Sequence Number











Kato & Kanda            Expires December 27, 2007              [Page 15]

Internet-Draft  The Additional Modes of Camellia in IPsec      June 2007


        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                               SPI                             |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                 64-bit Extended Sequence Number               |
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

             Figure 6: 7:  AAD Format with 64-bit Sequence Number













Kato & Kanda              Expires December 27, 2007 May 19, 2008                 [Page 16]

Internet-Draft  The Additional Modes of Camellia in IPsec      June  November 2007


5.  IKE Conventions

   Camellia was designed to follow the same API as the AES cipher.
   Therefore, this

   This section defines only Phase 1 Identifier and Phase 2
   Identifier.  Any other consideration related to interaction with IKE
   is the same as that of describes the AES cipher.  Details can be found in IKE
   Conventions section of [13] transform ID and [16].

5.1.  Phase 1 Identifier

   This document does not specify the conventions used to
   generate keying material for using Camellia-CTR use with ENCR_CAMELLIA_CBC,
   ENCR_CAMELLIA_CTR and Camellia-CCM for IKE Phase ENCR_CAMELLIA_CCM using the Internet Key
   Exchange (IKEv2) [6].

5.1.  Transform Type 1 negotiations.  For Camellia-CTR and
   Camellia-CCM to be used in this manner, a separate specification is
   needed, and an Encryption Algorithm Identifier needs to be assigned.

5.2.  Phase 2 Identifier

   For IKE Phase 2 IKEv2 negotiations, IANA has assigned three five ESP Transform
   Identifiers for Camellia-CBC, Camellia-CTR and Camellia-CCM.

         <TBD1> for Camellia-CTR Camellia-CBC with and explict explicit IV;
         <TBD2> for Camellia-CTR with explicit IV;
         <TBD3> for Camellia-CCM with an 8-octet ICV;
         <TBD3>
         <TBD4> for Camellia-CCM with a 12-octet ICV; and
         <TBD4>
         <TBD5> for Camellia-CCM with a 16-octet ICV.

5.3.

5.2.  Key Length Attribute

   Since the Camellia supports three key lengths, the Key Length
   attribute MUST be specified in the IKE Phase 2 exchange [10]. [6].  The Key Length
   attribute MUST have a value of 128, 192, or 256.





















Kato & Kanda            Expires December 27, 2007              [Page 17]

Internet-Draft

5.3.  Keying Material

   The Additional Modes size of Camellia in IPsec      June 2007


6.  Test Vectors

6.1.  Camellia-CTR

   This section contains nine test vectors(TV), which can KEYMAT MUST be used to
   confirm that an implementation has correctly implemented Camellia-
   CTR.  The first three test vectors use equal or longer than the associated
   Camellia key.  The keying material is used as follows:

   Camellia-CBC with a 128 bit key; 128-bit key
      The KEYMAT requested for each Camellia-CBC key is 16 octets.  The
      whole octets are the next three test vectors use 128-bit Camellia key.

   Camellia-CBC with a 192 bit key; and 192-bit key
      The KEYMAT requested for each Camellia-CBC key is 24 octets.  The
      whole octets are the
   last three test vectors use 192-bit Camellia with a 256 bit key.


   TV #1: Encrypting 16 octets using Camellia-CTR

   Camellia-CBC with 128-bit a 256-bit key
   Camellia Key     : AE 68 52 F8 12 10 67 CC 4B F7 A5 76 55 77 F3 9E
   Camellia-CTR IV  : 00 00 00 00 00 00 00 00
   Nonce            : 00 00 00 30
   Plaintext        : 53 69 6E 67 6C 65 20 62 6C 6F 63 6B 20 6D 73 67
   Counter Block (1): 00 00 00 30 00 00 00 00 00 00 00 00 00 00 00 01
   Key Stream    (1): 83 F4 AC FD EE 71 41 F8 4C E8 1F 1D FB 72 78 58
   Ciphertext       : D0 9D C2 9A 82 14 61 9A 20 87 7C 76 DB 1F 0B 3F

   TV #2: Encrypting
      The KEYMAT requested for each Camellia-CBC key is 32 octets.  The
      whole octets using are the 256-bit Camellia key.

   Camellia-CTR with a 128-bit key
   Camellia Key     : 7E 24 06 78 17 FA E0 D7 43 D6 CE 1F 32 53 91 63
      The KEYMAT requested for each Camellia-CTR IV  : C0 54 3B 59 DA 48 D9 0B
   Nonce            : 00 6C B6 DB
   Plaintext        : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
                    : 10 11 12 13 14 15 key is 20 octets.  The
      first 16 17 18 19 1A 1B 1C 1D 1E 1F
   Counter Block (1): 00 6C B6 DB C0 54 3B 59 DA 48 D9 0B 00 00 00 01
   Key Stream    (1): DB F2 C5 8E C4 86 90 D3 D2 75 9A 7C 69 B6 C5 4B
   Counter Block (2): 00 6C B6 DB C0 54 3B 59 DA 48 D9 0B 00 00 00 02
   Key Stream    (2): 3B 9F 9C 1C 25 E5 CA B0 34 6D 0D F8 4F 7D FE 57
   Ciphertext       : DB F3 C7 8D C0 83 96 D4 DA 7C 90 77 65 BB CB 44
                    : 2B 8E 8E 0F 31 F0 DC A7 2C 74 17 E3 53 60 E0 48

   TV #3: Encrypting 36 octets using Camellia-CTR with are the 128-bit key Camellia Key     : 76 91 BE 03 5E 50 20 A8 AC 6E 61 85 29 F9 A0 DC
   Camellia-CTR IV  : 27 77 7F 3F 4A 17 86 F0
   Nonce            : 00 E0 01 7B
   Plaintext        : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
                    : 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
                    : 20 21 22 23
   Counter Block (1): 00 E0 01 7B 27 77 7F 3F 4A 17 86 F0 00 00 00 01
   Key Stream    (1): B1 9C 1D CE CF 70 ED 8F 27 8D 96 E9 41 88 C1 7C
   Counter Block (2): 00 E0 01 7B 27 77 7F 3F 4A 17 86 F0 00 00 00 02
   Key Stream    (2): 8C F7 59 38 48 88 65 E6 57 34 47 86 D2 85 97 D2
   Counter Block (3): 00 E0 01 7B 27 77 7F 3F 4A 17 86 F0 00 00 00 03
   Key Stream    (3): FF 71 A4 B5 D8 86 12 53 6A 9D 10 A1 13 0F 14 F8
   Ciphertext       : B1 9D 1F CD CB 75 EB 88 2F 84 9C E2 4D 85 CF 73
                    : 9C E6 4B 2B 5C 9D 73 F1 4F 2D 5D 9D CE 98 89 CD key, and the remaining
      four octets are used as the nonce value in the counter block.






Kato & Kanda              Expires December 27, 2007 May 19, 2008                 [Page 18] 17]

Internet-Draft  The Additional Modes of Camellia in IPsec      June  November 2007


                    : DF 50 86 96

   TV #4: Encrypting 16 octets using


   Camellia-CTR with a 192-bit key
   Camellia Key     : 16 AF 5B 14 5F C9 F5 79 C1 75 F9 3E 3B FB 0E ED
                    : 86 3D 06 CC FD B7 85 15
      The KEYMAT requested for each Camellia-CTR IV  : 36 73 3C 14 7D 6D 93 CB
   Nonce            : 00 00 00 48
   Plaintext        : 53 69 6E 67 6C 65 20 62 6C 6F 63 6B 20 6D 73 67
   Counter Block (1): 00 00 00 48 36 73 3C 14 7D 6D 93 CB 00 00 00 01
   Key Stream    (1): 70 10 57 F9 E6 E8 0B 49 7A 1F 4C AC AB F3 E5 F1
   Ciphertext       : 23 79 39 9E 8A 8D 2B 2B 16 70 2F C7 8B 9E 96 96

   TV #5: Encrypting 32 key is 28 octets.  The
      first 24 octets using Camellia-CTR with are the 192-bit key Camellia Key     : 7C 5C B2 40 1B 3D C3 3C 19 E7 34 08 19 E0 F6 9C
                    : 67 8C 3D B8 E6 F6 A9 1A
   Camellia-CTR IV  : 02 0C 6E AD C2 CB 50 0D
   Nonce            : 00 96 B0 3B
   Plaintext        : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
                    : 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
   Counter Block (1): 00 96 B0 3B 02 0C 6E AD C2 CB 50 0D 00 00 00 01
   Key Stream    (1): 7D EE 36 F4 A1 D5 E2 12 6F 42 75 F7 A2 6A C9 52
   Counter Block (2): 00 96 B0 3B 02 0C 6E AD C2 CB 50 0D 00 00 00 02
   Key Stream    (2): C0 09 AA 7C E6 25 47 F7 4E 20 30 82 EF 47 52 F2
   Ciphertext       : 7D EF 34 F7 A5 D0 E4 15 67 4B 7F FC AE 67 C7 5D
                    : D0 18 B8 6F F2 30 51 E0 56 39 2A 99 F3 5A 4C ED

   TV #6: Encrypting 36 key, and the remaining
      four octets using are used as the nonce value in the counter block.

   Camellia-CTR with 192-bit a 128-bit key
   Camellia Key     : 02 BF 39 1E E8 EC B1 59 B9 59 61 7B 09 65 27 9B
                    : F5 9B 60 A7 86 D3 E0 FE
      The KEYMAT requested for each Camellia-CTR IV  : 5C BD 60 27 8D CC 09 12
   Nonce            : 00 07 BD FD
   Plaintext        : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
                    : 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
                    : 20 21 22 23
   Counter Block (1): 00 07 BD FD 5C BD 60 27 8D CC 09 12 00 00 00 01
   Key Stream    (1): 57 11 E7 55 E5 4D 7C 27 BD A5 04 78 FD 93 40 77
   Counter Block (2): 00 07 BD FD 5C BD 60 27 8D CC 09 12 00 00 00 02
   Key Stream    (2): 66 E2 6D CF 85 A4 F9 5A 55 B4 F2 FD 7A BB 53 11
   Counter Block (3): 00 07 BD FD 5C BD 60 27 8D CC 09 12 00 00 00 03
   Key Stream    (3): F5 76 89 74 63 52 A8 C5 1E 82 DE 66 C3 9F 38 34
   Ciphertext       : 57 10 E5 56 E1 48 7A 20 B5 AC 0E 73 F1 9E 4E 78
                    : 76 F3 7F DC 91 B1 EF 4D 4D AD E8 E6 66 A6 4D 0E
                    : D5 57 AB 57

   TV #7: Encrypting 16 octets using Camellia-CTR with 256-bit key
   Camellia Key     : 77 6B EF F2 85 1D B0 6F 4C 8A 05 42 C8 69 6F 6C
                    : 6A 81 AF 1E EC 96 B4 D3 7F C1 D6 89 E6 C1 C1 04
   Camellia-CTR IV  : DB 56 72 C9 7A A8 F0 B2



Kato & Kanda            Expires December 27, 2007              [Page 19]

Internet-Draft is 36 octets.  The Additional Modes of Camellia in IPsec      June 2007


   Nonce            : 00 00 00 60
   Plaintext        : 53 69 6E 67 6C 65 20 62 6C 6F 63 6B 20 6D 73 67
   Counter Block (1): 00 00 00 60 DB 56 72 C9 7A A8 F0 B2 00 00 00 01
   Key Stream    (1): 67 68 97 AF 48 1B DF AC D1 06 F7 1A 6C 76 C8 76
   Ciphertext       : 34 01 F9 C8 24 7E FF CE BD 69 94 71 4C 1B BB 11

   TV #8: Encrypting
      first 32 octets using Camellia-CTR with 256-bit key
   Camellia Key     : F6 D6 6D 6B D5 2D 59 BB 07 96 36 58 79 EF F8 86
                    : C6 6D D5 1A 5B 6A 99 74 4B 50 59 0C 87 A2 38 84
   Camellia-CTR IV  : C1 58 5E F1 5A 43 D8 75
   Nonce            : 00 FA AC 24
   Plaintext        : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
                    : 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
   Counter Block (1): 00 FA AC 24 C1 58 5E F1 5A 43 D8 75 00 00 00 01
   Key Stream    (1): D6 C2 01 91 20 6A 7E 0F A0 35 21 29 A4 8E 90 4A
   Counter Block (2): 00 FA AC 24 C1 58 5E F1 5A 43 D8 75 00 00 00 02
   Key Stream    (2): F5 0D C6 99 08 CA 56 79 A4 85 D8 C8 B7 9E 5F 17
   Ciphertext       : D6 C3 03 92 24 6F 78 08 A8 3C 2B 22 A8 83 9E 45
                    : E5 1C D4 8A 1C DF 40 6E BC 9C C2 D3 AB 83 41 08

   TV #9: Encrypting 36 octets using Camellia-CTR with are the 256-bit key Camellia Key     : FF 7A 61 7C E6 91 48 E4 F1 72 6E 2F 43 58 1D E2
                    : AA 62 D9 F8 05 53 2E DF F1 EE D6 87 FB 54 15 3D
   Camellia-CTR IV  : 51 A5 1D 70 A1 C1 11 48
   Nonce            : 00 1C C5 B7
   Plaintext        : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
                    : 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
                    : 20 21 22 23
   Counter Block (1): 00 1C C5 B7 51 A5 1D 70 A1 C1 11 48 00 00 00 01
   Key Stream    (1): A4 DB 21 FF E2 A0 F9 AD 65 6D A4 91 0A 5F AA 23
   Counter Block (2): 00 1C C5 B7 51 A5 1D 70 A1 C1 11 48 00 00 00 02
   Key Stream    (2): C1 70 B1 58 71 EC 71 88 6D D9 05 0B 03 6C 39 70
   Counter Block (3): 00 1C C5 B7 51 A5 1D 70 A1 C1 11 48 00 00 00 03
   Key Stream    (3): 35 CE 2F AE 90 78 B3 72 F5 76 12 39 1F 8B AF BF
   Ciphertext       : A4 DA 23 FC E6 A5 FF AA 6D 64 AE 9A 06 52 A4 2C
                    : D1 61 A3 4B 65 F9 67 9F 75 C0 1F 10 1F 71 27 6F
                    : 15 EF 0D 8D

6.2.  Camellia-CCM

   This section contains twenty four test vectors, which can be used to
   confirm that an implementation has correctly implemented Camellia-
   CCM.  In each of these test vectors, the least significant sixteen
   bits of key, and the counter block is remaining
      four octets are used for the block counter, and as the nonce is 13 octets.  Some of the test vectors include a eight octet
   authentication value, and others include a ten octet authentication
   value.




Kato & Kanda            Expires December 27, 2007              [Page 20]

Internet-Draft  The Additional Modes of Camellia in IPsec      June 2007


   =============== Packet Vector #1 ==================
   CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
   Nonce =    00 00 00 03  02 01 00 A0  A1 A2 A3 A4  A5
   Total packet length =   31. [Input (8 cleartext header octets)]
              00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
              10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E
   CBC IV in: 59 00 00 00  03 02 01 00  A0 A1 A2 A3  A4 A5 00 17
   CBC IV out:D4 DB CD 92  A8 96 41 56  1D 0D BB D0  D5 7F 7E 1D
   After xor: D4 D3 CD 93  AA 95 45 53  1B 0A BB D0  D5 7F 7E 1D   [hdr]
   After CAM: BD 84 03 80  73 59 37 B7  CE F5 E4 BA  1B 18 54 DC
   After xor: B5 8D 09 8B  7F 54 39 B8  DE E4 F6 A9  0F 0D 42 CB   [msg]
   After CAM: CE 21 82 9C  F6 F2 4D A2  CB 35 D1 FD  81 27 63 EC
   After xor: D6 38 98 87  EA EF 53 A2  CB 35 D1 FD  81 27 63 EC   [msg]
   After CAM: 20 11 FE E2  53 B1 A7 DB  02 77 FA 37  6D 78 EE 10
   MIC tag  : 20 11 FE E2  53 B1 A7 DB
   CTR Start: 01 00 00 00  03 02 01 00  A0 A1 A2 A3  A4 A5 00 01
   CTR[0001]: B2 7A 7B 8E  EB 14 3F 0B  82 E2 98 4C  06 44 CC 42
   CTR[0002]: E2 E2 D3 52  98 97 13 45  D1 63 22 90  E7 F8 15 4A
   CTR[MIC ]: DC BF 30 96  38 8C 1E 76
   Total packet length =   39. [Encrypted]
              00 01 02 03  04 05 06 07  BA 73 71 85  E7 19 31 04
              92 F3 8A 5F  12 51 DA 55  FA FB C9 49  84 8A 0D FC
              AE CE 74 6B  3D B9 AD

   =============== Packet Vector #2 ==================
   CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
   Nonce =    00 00 00 04  03 02 01 A0  A1 A2 A3 A4  A5
   Total packet length =   32. [Input (8 cleartext header octets)]
              00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
              10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E 1F
   CBC IV in: 59 00 00 00  04 03 02 01  A0 A1 A2 A3  A4 A5 00 18
   CBC IV out:07 0B 22 50  8A 24 3C DD  5B BA 54 DB  60 52 88 06
   After xor: 07 03 22 51  88 27 38 D8  5D BD 54 DB  60 52 88 06   [hdr]
   After CAM: 10 FD C2 F2  90 4A 9F 96  B0 4F 62 A4  A1 A9 31 1E
   After xor: 18 F4 C8 F9  9C 47 91 99  A0 5E 70 B7  B5 BC 27 09   [msg]
   After CAM: E4 C8 82 02  89 55 5C 15  CE 7F E4 60  B1 B9 5A 08
   After xor: FC D1 98 19  95 48 42 0A  CE 7F E4 60  B1 B9 5A 08   [msg]
   After CAM: D2 96 BA 4F  83 DE B5 DF  A2 19 08 F7  47 4E 3C 40
   MIC tag  : D2 96 BA 4F  83 DE B5 DF
   CTR Start: 01 00 00 00  04 03 02 01  A0 A1 A2 A3  A4 A5 00 01
   CTR[0001]: 55 2C 6E B4  82 A2 EF D6  85 37 FE 12  79 0E E6 55
   CTR[0002]: 54 E2 C8 D6  7E 99 91 2C  F2 8A D7 8E  83 04 10 36
   CTR[MIC ]: B2 24 93 12  71 9C 36 37
   Total packet length =   40. [Encrypted]
              00 01 02 03  04 05 06 07  5D 25 64 BF  8E AF E1 D9
              95 26 EC 01  6D 1B F0 42  4C FB D2 CD  62 84 8F 33
              60 B2 29 5D  F2 42 83 E8




Kato & Kanda            Expires December 27, 2007              [Page 21]

Internet-Draft  The Additional Modes of Camellia in IPsec      June 2007


   =============== Packet Vector #3 ==================
   CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
   Nonce =    00 00 00 05  04 03 02 A0  A1 A2 A3 A4  A5
   Total packet length =   33. [Input (8 cleartext header octets)]
              00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
              10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E 1F
              20
   CBC IV in: 59 00 00 00  05 04 03 02  A0 A1 A2 A3  A4 A5 00 19
   CBC IV out:6F 69 15 DF  A6 A0 DF 24  84 A7 37 88  A3 65 F9 2E
   After xor: 6F 61 15 DE  A4 A3 DB 21  82 A0 37 88  A3 65 F9 2E   [hdr]
   After CAM: 59 5D 99 48  79 04 DA C9  13 93 36 C9  11 A8 09 1D
   After xor: 51 54 93 43  75 09 D4 C6  03 82 24 DA  05 BD 1F 0A   [msg]
   After CAM: 1A 43 D7 19  65 43 97 C1  43 6F 4F 11  A7 6C 6B ED
   After xor: 02 5A CD 02  79 5E 89 DE  63 6F 4F 11  A7 6C 6B ED   [msg]
   After CAM: 30 0B 06 8A  A0 D1 4D C5  9E 44 22 84  82 45 42 0B
   MIC tag  : 30 0B 06 8A  A0 D1 4D C5
   CTR Start: 01 00 00 00  05 04 03 02  A0 A1 A2 A3  A4 A5 00 01
   CTR[0001]: 89 FF 69 DD  CB 75 76 18  E9 31 24 1B  AD 97 BB 02
   CTR[0002]: C4 32 A7 9C  CB 4B E9 8D  24 A8 F0 AB  C6 87 16 11
   CTR[MIC ]: C5 5A D0 E2  8F F2 E7 83
   Total packet length =   41. [Encrypted]
              00 01 02 03  04 05 06 07  81 F6 63 D6  C7 78 78 17
              F9 20 36 08  B9 82 AD 15  DC 2B BD 87  D7 56 F7 92
              04 F5 51 D6  68 2F 23 AA  46

   =============== Packet Vector #4 ==================
   CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
   Nonce =    00 00 00 06  05 04 03 A0  A1 A2 A3 A4  A5
   Total packet length =   31. [Input (12 cleartext header octets)]
              00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
              10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E
   CBC IV in: 59 00 00 00  06 05 04 03  A0 A1 A2 A3  A4 A5 00 13
   CBC IV out:F5 51 CF 6C  7C F7 D4 0B  2B 76 F1 6B  57 F0 19 FE
   After xor: F5 5D CF 6D  7E F4 D0 0E  2D 71 F9 62  5D FB 19 FE   [hdr]
   After CAM: 02 2B 21 1B  EB 97 02 3B  F8 10 7D CC  62 14 E5 7C
   After xor: 0E 26 2F 14  FB 86 10 28  EC 05 6B DB  7A 0D FF 67   [msg]
   After CAM: 48 14 A4 2D  31 25 1C 37  19 C5 6F DD  5A 37 81 42
   After xor: 54 09 BA 2D  31 25 1C 37  19 C5 6F DD  5A 37 81 42   [msg]
   After CAM: CF 85 25 D2  80 D5 F0 09  53 2C 9D 43  4E F3 04 47
   MIC tag  : CF 85 25 D2  80 D5 F0 09
   CTR Start: 01 00 00 00  06 05 04 03  A0 A1 A2 A3  A4 A5 00 01
   CTR[0001]: C6 E2 10 8D  62 00 A2 9C  6F CC 19 1F  DF 6B 92 DB
   CTR[0002]: 6C B9 BE EE  1E A2 E9 B3  2D D6 C2 9A  E8 26 D5 C2
   CTR[MIC ]: 44 BF B6 E8  E3 31 67 A9
   Total packet length =   39. [Encrypted]
              00 01 02 03  04 05 06 07  08 09 0A 0B  CA EF 1E 82
              72 11 B0 8F  7B D9 0F 08  C7 72 88 C0  70 A4 A0 8B
              3A 93 3A 63  E4 97 A0



Kato & Kanda            Expires December 27, 2007              [Page 22]

Internet-Draft  The Additional Modes of Camellia in IPsec      June 2007


   =============== Packet Vector #5 ==================
   CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
   Nonce =    00 00 00 07  06 05 04 A0  A1 A2 A3 A4  A5
   Total packet length =   32. [Input (12 cleartext header octets)]
              00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
              10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E 1F
   CBC IV in: 59 00 00 00  07 06 05 04  A0 A1 A2 A3  A4 A5 00 14
   CBC IV out:73 72 9D 76  7A BD B9 82  60 3A 12 7B  EF 26 FB 80
   After xor: 73 7E 9D 77  78 BE BD 87  66 3D 1A 72  E5 2D FB 80   [hdr]
   After CAM: E1 B7 A6 72  E2 5C 87 75  91 21 22 A4  07 13 CD 5B
   After xor: ED BA A8 7D  F2 4D 95 66  85 34 34 B3  1F 0A D7 40   [msg]
   After CAM: 13 2F 58 D9  5D 0F 95 B8  90 BF 6F 1D  31 84 54 C7
   After xor: 0F 32 46 C6  5D 0F 95 B8  90 BF 6F 1D  31 84 54 C7   [msg]
   After CAM: 47 8F 1E B0  71 24 8B 13  AF C8 C8 44  E6 0F 88 B6
   MIC tag  : 47 8F 1E B0  71 24 8B 13
   CTR Start: 01 00 00 00  07 06 05 04  A0 A1 A2 A3  A4 A5 00 01
   CTR[0001]: 26 DE B4 D6  5F D4 3C 81  AA 56 98 95  64 09 39 A2
   CTR[0002]: 76 97 69 3A  21 13 0C 39  2E 4E EB BF  48 7B 24 BE
   CTR[MIC ]: C8 2E 65 17  82 15 50 1A
   Total packet length =   40. [Encrypted]
              00 01 02 03  04 05 06 07  08 09 0A 0B  2A D3 BA D9
              4F C5 2E 92  BE 43 8E 82  7C 10 23 B9  6A 8A 77 25
              8F A1 7B A7  F3 31 DB 09

   =============== Packet Vector #6 ==================
   CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
   Nonce =    00 00 00 08  07 06 05 A0  A1 A2 A3 A4  A5
   Total packet length =   33. [Input (12 cleartext header octets)]
              00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
              10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E 1F
              20
   CBC IV in: 59 00 00 00  08 07 06 05  A0 A1 A2 A3  A4 A5 00 15
   CBC IV out:EB 59 05 CC  3F 52 61 10  26 24 75 93  DD B9 A0 F4
   After xor: EB 55 05 CD  3D 51 65 15  20 23 7D 9A  D7 B2 A0 F4   [hdr]
   After CAM: 18 A9 AE A4  3D D2 A9 11  6C 0A E5 4F  40 D1 4D 9F
   After xor: 14 A4 A0 AB  2D C3 BB 02  78 1F F3 58  58 C8 57 84   [msg]
   After CAM: FA C4 13 18  98 54 1B 54  93 9C 64 B8  CB FD 5B 18
   After xor: E6 D9 0D 07  B8 54 1B 54  93 9C 64 B8  CB FD 5B 18   [msg]
   After CAM: 49 E6 E8 ED  32 FB CA 2F  2E 55 CD AF  D0 F2 B3 05
   MIC tag  : 49 E6 E8 ED  32 FB CA 2F
   CTR Start: 01 00 00 00  08 07 06 05  A0 A1 A2 A3  A4 A5 00 01
   CTR[0001]: F2 A8 46 04  B5 2E BA C0  D7 51 34 BD  D6 54 FC 64
   CTR[0002]: E6 26 A9 24  8B E6 86 CB  92 D6 FB FC  2E F2 91 98
   CTR[MIC ]: E2 D0 49 03  7D 1B 34 07
   Total packet length =   41. [Encrypted]
              00 01 02 03  04 05 06 07  08 09 0A 0B  FE A5 48 0B
              A5 3F A8 D3  C3 44 22 AA  CE 4D E6 7F  FA 3B B7 3B
              AB AB 36 A1  EE 4F E0 FE  28



Kato & Kanda            Expires December 27, 2007              [Page 23]

Internet-Draft  The Additional Modes of Camellia in IPsec      June 2007


   =============== Packet Vector #7 ==================
   CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
   Nonce =    00 00 00 09  08 07 06 A0  A1 A2 A3 A4  A5
   Total packet length =   31. [Input (8 cleartext header octets)]
              00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
              10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E
   CBC IV in: 61 00 00 00  09 08 07 06  A0 A1 A2 A3  A4 A5 00 17
   CBC IV out:AC F1 5D 79  99 1A 15 BF  5C DC F6 C4  45 AE 1F CB
   After xor: AC F9 5D 78  9B 19 11 BA  5A DB F6 C4  45 AE 1F CB   [hdr]
   After CAM: E9 C0 AC FD  C7 E8 E7 1D  FA E8 8B 66  95 9E 01 45
   After xor: E1 C9 A6 F6  CB E5 E9 12  EA F9 99 75  81 8B 17 52   [msg]
   After CAM: 9C FF ED 72  09 A6 7D 2A  48 B7 29 BF  D8 BE 39 59
   After xor: 84 E6 F7 69  15 BB 63 2A  48 B7 29 BF  D8 BE 39 59   [msg]
   After CAM: 4F 41 FA DE  B2 58 F3 32  54 0A 55 7A  80 4A A3 F5
   MIC tag  : 4F 41 FA DE  B2 58 F3 32  54 0A
   CTR Start: 01 00 00 00  09 08 07 06  A0 A1 A2 A3  A4 A5 00 01
   CTR[0001]: 5C 5A 2A 2D  E9 41 1F 95  9D 27 CB FF  7A 0B CF 63
   CTR[0002]: 0E D1 6A 97  57 41 32 4F  33 1B 4A 42  B1 4A 54 63
   CTR[MIC ]: E3 EE 59 62  7D 22 BD 8D  C1 79
   Total packet length =   41. [Encrypted]
              00 01 02 03  04 05 06 07  54 53 20 26  E5 4C 11 9A
              8D 36 D9 EC  6E 1E D9 74  16 C8 70 8C  4B 5C 2C AC
              AF A3 BC CF  7A 4E BF 95  73

   =============== Packet Vector #8 ==================
   CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
   Nonce =    00 00 00 0A  09 08 07 A0  A1 A2 A3 A4  A5
   Total packet length =   32. [Input (8 cleartext header octets)]
              00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
              10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E 1F
   CBC IV in: 61 00 00 00  0A 09 08 07  A0 A1 A2 A3  A4 A5 00 18
   CBC IV out:AD CA 1C 1D  45 E7 E2 62  58 D5 DA 46  D8 2F 69 3A
   After xor: AD C2 1C 1C  47 E4 E6 67  5E D2 DA 46  D8 2F 69 3A   [hdr]
   After CAM: FA DE 0E B4  3E CA C1 E9  69 BB 8C A4  7C 0D 80 8F
   After xor: F2 D7 04 BF  32 C7 CF E6  79 AA 9E B7  68 18 96 98   [msg]
   After CAM: D2 87 35 C2  D0 E4 AE 4E  BC C2 99 FF  B3 77 F8 A1
   After xor: CA 9E 2F D9  CC F9 B0 51  BC C2 99 FF  B3 77 F8 A1   [msg]
   After CAM: BD F6 FB 55  9E 90 C0 E7  DF 4B 0C 37  DC 42 32 A2
   MIC tag  : BD F6 FB 55  9E 90 C0 E7  DF 4B
   CTR Start: 01 00 00 00  0A 09 08 07  A0 A1 A2 A3  A4 A5 00 01
   CTR[0001]: 82 D8 91 0B  16 8A DF 47  E4 C8 39 FC  20 47 4A DB
   CTR[0002]: FB BF 26 7E  0E BB EB 6A  07 4E 29 CF  3D 12 E6 DB
   CTR[MIC ]: CE 7E 1F C4  A0 61 87 E6  2B 0A
   Total packet length =   42. [Encrypted]
              00 01 02 03  04 05 06 07  8A D1 9B 00  1A 87 D1 48
              F4 D9 2B EF  34 52 5C CC  E3 A6 3C 65  12 A6 F5 75
              73 88 E4 91  3E F1 47 01  F4 41




Kato & Kanda            Expires December 27, 2007              [Page 24]

Internet-Draft  The Additional Modes of Camellia in IPsec      June 2007


   =============== Packet Vector #9 ==================
   CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
   Nonce =    00 00 00 0B  0A 09 08 A0  A1 A2 A3 A4  A5
   Total packet length =   33. [Input (8 cleartext header octets)]
              00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
              10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E 1F
              20
   CBC IV in: 61 00 00 00  0B 0A 09 08  A0 A1 A2 A3  A4 A5 00 19
   CBC IV out:D0 A9 A5 94  00 63 86 40  11 0D DB 40  CA F8 4A 9C
   After xor: D0 A1 A5 95  02 60 82 45  17 0A DB 40  CA F8 4A 9C   [hdr]
   After CAM: 7B CA 4E 2D  79 82 0D 1E  15 22 DD E8  37 B9 B1 F0
   After xor: 73 C3 44 26  75 8F 03 11  05 33 CF FB  23 AC A7 E7   [msg]
   After CAM: 6B 75 9F 83  C0 8F 56 64  F2 FA D5 7F  67 01 B8 21
   After xor: 73 6C 85 98  DC 92 48 7B  D2 FA D5 7F  67 01 B8 21   [msg]
   After CAM: 7D B7 BE FF  72 F3 26 74  9E 20 07 28  1E 5B 1A 8A
   MIC tag  : 7D B7 BE FF  72 F3 26 74  9E 20
   CTR Start: 01 00 00 00  0B 0A 09 08  A0 A1 A2 A3  A4 A5 00 01
   CTR[0001]: 55 B9 87 69  4C 73 60 3E  C6 1E 8E B1  D2 11 62 36
   CTR[0002]: 82 D9 A4 4B  DC C9 BB 68  A7 FE 15 A5  19 51 57 87
   CTR[MIC ]: E9 61 5C CF  BF D6 EF 8A  21 A7
   Total packet length =   43. [Encrypted]
              00 01 02 03  04 05 06 07  5D B0 8D 62  40 7E 6E 31
              D6 0F 9C A2  C6 04 74 21  9A C0 BE 50  C0 D4 A5 77
              87 94 D6 E2  30 CD 25 C9  FE BF 87

   =============== Packet Vector #10 ==================
   CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
   Nonce =    00 00 00 0C  0B 0A 09 A0  A1 A2 A3 A4  A5
   Total packet length =   31. [Input (12 cleartext header octets)]
              00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
              10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E
   CBC IV in: 61 00 00 00  0C 0B 0A 09  A0 A1 A2 A3  A4 A5 00 13
   CBC IV out:B1 85 73 A3  1C 6F EC 01  90 E3 CE 94  27 11 04 B9
   After xor: B1 89 73 A2  1E 6C E8 04  96 E4 C6 9D  2D 1A 04 B9   [hdr]
   After CAM: A6 AD EA 9C  FA 3F 76 78  4C 17 8A F3  DC 69 F0 82
   After xor: AA A0 E4 93  EA 2E 64 6B  58 02 9C E4  C4 70 EA 99   [msg]
   After CAM: 35 50 B7 27  78 F8 C6 BF  02 4B 65 60  05 C0 E1 ED
   After xor: 29 4D A9 27  78 F8 C6 BF  02 4B 65 60  05 C0 E1 ED   [msg]
   After CAM: 3D B5 A6 E6  85 AF 1C 58  80 B0 32 2E  01 74 91 FC
   MIC tag  : 3D B5 A6 E6  85 AF 1C 58  80 B0
   CTR Start: 01 00 00 00  0C 0B 0A 09  A0 A1 A2 A3  A4 A5 00 01
   CTR[0001]: D7 1C 82 C1  D1 A9 64 0F  93 69 CE 81  22 7E CC E8
   CTR[0002]: A7 A1 42 44  32 4E 69 FE  4C D0 36 65  A5 31 0B AB
   CTR[MIC ]: ED 27 3F 0D  94 5C 0E AA  B2 87
   Total packet length =   41. [Encrypted]
              00 01 02 03  04 05 06 07  08 09 0A 0B  DB 11 8C CE
              C1 B8 76 1C  87 7C D8 96  3A 67 D6 F3  BB BC 5C D0
              92 99 EB 11  F3 12 F2 32  37



Kato & Kanda            Expires December 27, 2007              [Page 25]

Internet-Draft  The Additional Modes of Camellia in IPsec      June 2007


   =============== Packet Vector #11 ==================
   CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
   Nonce =    00 00 00 0D  0C 0B 0A A0  A1 A2 A3 A4  A5
   Total packet length =   32. [Input (12 cleartext header octets)]
              00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
              10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E 1F
   CBC IV in: 61 00 00 00  0D 0C 0B 0A  A0 A1 A2 A3  A4 A5 00 14
   CBC IV out:45 DF B5 07  6F BB 10 EA  F1 15 15 AD  21 4F B0 0E
   After xor: 45 D3 B5 06  6D B8 14 EF  F7 12 1D A4  2B 44 B0 0E   [hdr]
   After CAM: 17 52 F9 6D  DD BC 5B 1C  1E EB 80 FC  F6 10 AC 03
   After xor: 1B 5F F7 62  CD AD 49 0F  0A FE 96 EB  EE 09 B6 18   [msg]
   After CAM: BE F0 A0 B9  EC 94 B6 B3  E8 EC 1B 82  14 14 09 87
   After xor: A2 ED BE A6  EC 94 B6 B3  E8 EC 1B 82  14 14 09 87   [msg]
   After CAM: 70 16 E4 F9  C4 2C 30 10  84 BF EC 69  34 89 91 FD
   MIC tag  : 70 16 E4 F9  C4 2C 30 10  84 BF
   CTR Start: 01 00 00 00  0D 0C 0B 0A  A0 A1 A2 A3  A4 A5 00 01
   CTR[0001]: 70 C5 33 82  D4 80 11 41  4F 5D 2B D2  D2 67 B3 B0
   CTR[0002]: 9D 36 6E 49  39 C5 16 76  5C 1C 25 12  81 79 94 70
   CTR[MIC ]: 77 8B 4B 03  1E 3A FC DF  A8 F1
   Total packet length =   42. [Encrypted]
              00 01 02 03  04 05 06 07  08 09 0A 0B  7C C8 3D 8D
              C4 91 03 52  5B 48 3D C5  CA 7E A9 AB  81 2B 70 56
              07 9D AF FA  DA 16 CC CF  2C 4E

   =============== Packet Vector #12 ==================
   CAM Key:   C0 C1 C2 C3  C4 C5 C6 C7  C8 C9 CA CB  CC CD CE CF
   Nonce =    00 00 00 0E  0D 0C 0B A0  A1 A2 A3 A4  A5
   Total packet length =   33. [Input (12 cleartext header octets)]
              00 01 02 03  04 05 06 07  08 09 0A 0B  0C 0D 0E 0F
              10 11 12 13  14 15 16 17  18 19 1A 1B  1C 1D 1E 1F
              20
   CBC IV in: 61 00 00 00  0E 0D 0C 0B  A0 A1 A2 A3  A4 A5 00 15
   CBC IV out:81 E4 EB 1E  50 A9 70 CE  18 CA 1A 4B  68 39 80 2E
   After xor: 81 E8 EB 1F  52 AA 74 CB  1E CD 12 42  62 32 80 2E   [hdr]
   After CAM: 04 AB D9 62  34 B9 8F 32  8C 0F 08 3F  3D 87 9D 57
   After xor: 08 A6 D7 6D  24 A8 9D 21  98 1A 1E 28  25 9E 87 4C   [msg]
   After CAM: BD A2 EA CB  3A DA 6A E7  9F BB C2 2C  E6 4C 98 89
   After xor: A1 BF F4 D4  1A DA 6A E7  9F BB C2 2C  E6 4C 98 89   [msg]
   After CAM: B6 FC E1 46  D3 EA DC 91  E0 AB 10 AD  D8 55 E7 03
   MIC tag  : B6 FC E1 46  D3 EA DC 91  E0 AB
   CTR Start: 01 00 00 00  0E 0D 0C 0B  A0 A1 A2 A3  A4 A5 00 01
   CTR[0001]: 20 DE 55 87  30 C3 2C 69  B7 44 A6 FE  37 DE 89 7C
   CTR[0002]: 3F 96 32 D8  68 6D C2 B5  22 97 42 27  EB F9 26 5E
   CTR[MIC ]: 7D 45 AD 6F  94 93 E1 F5  4F DE
   Total packet length =   43. [Encrypted]
              00 01 02 03  04 05 06 07  08 09 0A 0B  2C D3 5B 88
              20 D2 3E 7A  A3 51 B0 E9  2F C7 93 67  23 8B 2C C7
              48 CB B9 4C  29 47 79 3D  64 AF 75



Kato & Kanda            Expires December 27, 2007              [Page 26]

Internet-Draft  The Additional Modes of Camellia in IPsec      June 2007


   =============== Packet Vector #13 ==================
   CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
   Nonce =    00 A9 70 11  0E 19 27 B1  60 B6 A3 1C  1C
   Total packet length =   31. [Input (8 cleartext header octets)]
              6B 7F 46 45  07 FA E4 96  C6 B5 F3 E6  CA 23 11 AE
              F7 47 2B 20  3E 73 5E A5  61 AD B1 7D  56 C5 A3
   CBC IV in: 59 00 A9 70  11 0E 19 27  B1 60 B6 A3  1C 1C 00 17
   CBC IV out:D7 24 B0 0F  B1 87 04 C6  C1 4E 90 37  AA F2 F1 F9
   After xor: D7 2C DB 70  F7 C2 03 3C  25 D8 90 37  AA F2 F1 F9   [hdr]
   After CAM: 9B 13 6D E3  D9 9F C3 6D  7D 0D B7 D8  A1 BF E9 BD
   After xor: 5D A6 9E 05  13 BC D2 C3  8A 4A 9C F8  9F CC B7 18   [msg]
   After CAM: F8 BF 25 7D  23 F8 D9 B5  82 E6 C9 3E  C8 9B 85 73
   After xor: 99 12 94 00  75 3D 7A B5  82 E6 C9 3E  C8 9B 85 73   [msg]
   After CAM: D9 D6 62 21  6D B2 CA FD  1F C6 FE 9D  2C AF 5B 69
   MIC tag  : D9 D6 62 21  6D B2 CA FD
   CTR Start: 01 00 A9 70  11 0E 19 27  B1 60 B6 A3  1C 1C 00 01
   CTR[0001]: 62 80 24 C1  FE AE CC 8C  67 38 55 98  CB 8E E5 E8
   CTR[0002]: F2 30 17 2F  1B 71 55 9F  8B CE 79 E5  13 01 FC 6A
   CTR[MIC ]: 9C 8E A2 0C  48 03 ED 13
   Total packet length =   39. [Encrypted]
              6B 7F 46 45  07 FA E4 96  A4 35 D7 27  34 8D DD 22
              90 7F 7E B8  F5 FD BB 4D  93 9D A6 52  4D B4 F6 45
              58 C0 2D 25  B1 27 EE

   =============== Packet Vector #14 ==================
   CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
   Nonce =    00 83 CD 8C  E0 CB 42 B1  60 B6 A3 1C  1C
   Total packet length =   32. [Input (8 cleartext header octets)]
              98 66 05 B4  3D F1 5D E7  01 F6 CE 67  64 C5 74 48
              3B B0 2E 6B  BF 1E 0A BD  26 A2 25 72  B4 D8 0E E7
   CBC IV in: 59 00 83 CD  8C E0 CB 42  B1 60 B6 A3  1C 1C 00 18
   CBC IV out:A0 8A 29 78  36 23 1D 84  96 76 93 FF  0A 4C 92 7A
   After xor: A0 82 B1 1E  33 97 20 75  CB 91 93 FF  0A 4C 92 7A   [hdr]
   After CAM: 8C F5 F4 23  BF 09 1C 74  CD 47 00 C1  32 5D 5C 92
   After xor: 8D 03 3A 44  DB CC 68 3C  F6 F7 2E AA  8D 43 56 2F   [msg]
   After CAM: 69 DA 48 24  41 1E AC 8E  A9 0A CD 8B  DD 00 2B 9A
   After xor: 4F 78 6D 56  F5 C6 A2 69  A9 0A CD 8B  DD 00 2B 9A   [msg]
   After CAM: C2 03 3B 08  6D B3 CB 3B  2C C8 5D E7  76 A1 C0 44
   MIC tag  : C2 03 3B 08  6D B3 CB 3B
   CTR Start: 01 00 83 CD  8C E0 CB 42  B1 60 B6 A3  1C 1C 00 01
   CTR[0001]: 8B 16 9C 37  EB 7B BE DB  15 84 41 6E  5F C2 07 46
   CTR[0002]: E9 31 BB DD  4E E6 56 9B  68 95 13 5F  AB A4 DF EF
   CTR[MIC ]: 44 7E 55 14  25 C3 F3 3D
   Total packet length =   40. [Encrypted]
              98 66 05 B4  3D F1 5D E7  8A E0 52 50  8F BE CA 93
              2E 34 6F 05  E0 DC 0D FB  CF 93 9E AF  FA 3E 58 7C
              86 7D 6E 1C  48 70 38 06




Kato & Kanda            Expires December 27, 2007              [Page 27]

Internet-Draft  The Additional Modes of Camellia in IPsec      June 2007


   =============== Packet Vector #15 ==================
   CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
   Nonce =    00 5F 54 95  0B 18 F2 B1  60 B6 A3 1C  1C
   Total packet length =   33. [Input (8 cleartext header octets)]
              48 F2 E7 E1  A7 67 1A 51  CD F1 D8 40  6F C2 E9 01
              49 53 89 70  05 FB FB 8B  A5 72 76 F9  24 04 60 8E
              08
   CBC IV in: 59 00 5F 54  95 0B 18 F2  B1 60 B6 A3  1C 1C 00 19
   CBC IV out:76 74 53 37  95 23 3C F0  EB 77 CE 93  73 06 99 A8
   After xor: 76 7C 1B C5  72 C2 9B 97  F1 26 CE 93  73 06 99 A8   [hdr]
   After CAM: EF 79 8B 70  34 E4 D5 6B  57 3A F9 44  F0 AF D6 9A
   After xor: 22 88 53 30  5B 26 3C 6A  1E 69 70 34  F5 54 2D 11   [msg]
   After CAM: 63 BF 4E 10  01 79 38 0B  E4 EC C1 39  B2 B4 3B 8C
   After xor: C6 CD 38 E9  25 7D 58 85  EC EC C1 39  B2 B4 3B 8C   [msg]
   After CAM: 39 E1 0E FA  BD 2F 43 00  50 9E E7 EB  A4 FF 6B 8F
   MIC tag  : 39 E1 0E FA  BD 2F 43 00
   CTR Start: 01 00 5F 54  95 0B 18 F2  B1 60 B6 A3  1C 1C 00 01
   CTR[0001]: C5 47 A6 A2  73 49 1B 6F  0E 6D C9 F5  9C 12 3B 08
   CTR[0002]: C8 18 86 42  3C DB 35 C8  64 4D 8C 4C  58 01 47 27
   CTR[MIC ]: 91 E9 76 5D  2D 68 2E E5
   Total packet length =   41. [Encrypted]
              48 F2 E7 E1  A7 67 1A 51  08 B6 7E E2  1C 8B F2 6E
              47 3E 40 85  99 E9 C0 83  6D 6A F0 BB  18 DF 55 46
              6C A8 08 78  A7 90 47 6D  E5

   =============== Packet Vector #16 ==================
   CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
   Nonce =    00 EC 60 08  63 31 9A B1  60 B6 A3 1C  1C
   Total packet length =   31. [Input (12 cleartext header octets)]
              DE 97 DF 3B  8C BD 6D 8E  50 30 DA 4C  B0 05 DC FA
              0B 59 18 14  26 A9 61 68  5A 99 3D 8C  43 18 5B
   CBC IV in: 59 00 EC 60  08 63 31 9A  B1 60 B6 A3  1C 1C 00 13
   CBC IV out:78 EE 05 5A  88 48 E3 5B  8A 45 46 8F  35 4F 0C A2
   After xor: 78 E2 DB CD  57 73 6F E6  E7 CB 16 BF  EF 03 0C A2   [hdr]
   After CAM: A9 C6 7F 15  00 1A C6 92  81 67 BD EC  DF D2 35 C9
   After xor: 19 C3 A3 EF  0B 43 DE 86  A7 CE DC 84  85 4B 08 45   [msg]
   After CAM: 7C A8 9C 90  46 42 4B E2  4D 96 DF CF  BA 12 FD 18
   After xor: 3F B0 C7 90  46 42 4B E2  4D 96 DF CF  BA 12 FD 18   [msg]
   After CAM: 89 C7 B4 E8  A4 24 8C 6C  52 ED 34 50  E3 53 AD F5
   MIC tag  : 89 C7 B4 E8  A4 24 8C 6C
   CTR Start: 01 00 EC 60  08 63 31 9A  B1 60 B6 A3  1C 1C 00 01
   CTR[0001]: D3 B2 57 B3  6C E8 86 CF  91 9A AC 79  4E 6F 73 3E
   CTR[0002]: 65 10 C8 72  39 AF 0F 52  9F D0 A4 DF  54 BF D6 EB
   CTR[MIC ]: E1 04 E0 6A  29 B1 80 A9
   Total packet length =   39. [Encrypted]
              DE 97 DF 3B  8C BD 6D 8E  50 30 DA 4C  63 B7 8B 49
              67 B1 9E DB  B7 33 CD 11  14 F6 4E B2  26 08 93 68
              C3 54 82 8D  95 0C C5



Kato & Kanda            Expires December 27, 2007              [Page 28]

Internet-Draft  The Additional Modes of Camellia in IPsec      June 2007


   =============== Packet Vector #17 ==================
   CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
   Nonce =    00 60 CF F1  A3 1E A1 B1  60 B6 A3 1C  1C
   Total packet length =   32. [Input (12 cleartext header octets)]
              A5 EE 93 E4  57 DF 05 46  6E 78 2D CF  2E 20 21 12
              98 10 5F 12  9D 5E D9 5B  93 F7 2D 30  B2 FA CC D7
   CBC IV in: 59 00 60 CF  F1 A3 1E A1  B1 60 B6 A3  1C 1C 00 14
   CBC IV out:C3 34 69 7D  11 38 73 06  BD 34 E2 10  1F 66 17 E8
   After xor: C3 38 CC 93  82 DC 24 D9  B8 72 8C 68  32 A9 17 E8   [hdr]
   After CAM: 43 6F 37 74  AB 94 3B 41  EA AD 00 CA  C3 99 13 7B
   After xor: 6D 4F 16 66  33 84 64 53  77 F3 D9 91  50 6E 3E 4B   [msg]
   After CAM: 2D 28 FB 62  DA 06 97 A7  4C D4 31 B8  B5 AE AE EE
   After xor: 9F D2 37 B5  DA 06 97 A7  4C D4 31 B8  B5 AE AE EE   [msg]
   After CAM: F3 DE 10 CD  91 4D B1 B6  CC 37 F0 A2  4A 5A B7 A1
   MIC tag  : F3 DE 10 CD  91 4D B1 B6
   CTR Start: 01 00 60 CF  F1 A3 1E A1  B1 60 B6 A3  1C 1C 00 01
   CTR[0001]: 25 E6 9A F0  30 A9 56 E6  FF C0 3F 87  87 7A 89 74
   CTR[0002]: A2 1B 46 23  76 A2 1E DD  F2 AC 4B EC  42 95 3D D3
   CTR[MIC ]: C2 99 28 FF  E7 BB DB 29
   Total packet length =   40. [Encrypted]
              A5 EE 93 E4  57 DF 05 46  6E 78 2D CF  0B C6 BB E2
              A8 B9 09 F4  62 9E E6 DC  14 8D A4 44  10 E1 8A F4
              31 47 38 32  76 F6 6A 9F

   =============== Packet Vector #18 ==================
   CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
   Nonce =    00 0F 85 CD  99 5C 97 B1  60 B6 A3 1C  1C
   Total packet length =   33. [Input (12 cleartext header octets)]
              24 AA 1B F9  A5 CD 87 61  82 A2 50 74  26 45 94 1E
              75 63 2D 34  91 AF 0F C0  C9 87 6C 3B  E4 AA 74 68
              C9
   CBC IV in: 59 00 0F 85  CD 99 5C 97  B1 60 B6 A3  1C 1C 00 15
   CBC IV out:72 0A 46 75  0F 40 59 53  F2 3B D2 1F  6A 11 60 F6
   After xor: 72 06 62 DF  14 B9 FC 9E  75 5A 50 BD  3A 65 60 F6   [hdr]
   After CAM: 67 73 A0 FD  D5 7E D3 5E  E8 24 06 D0  A1 8B 0E 18
   After xor: 41 36 34 E3  A0 1D FE 6A  79 8B 09 10  68 0C 62 23   [msg]
   After CAM: BB 1E D8 9F  60 29 D0 99  09 14 06 A5  E3 8B 72 7B
   After xor: 5F B4 AC F7  A9 29 D0 99  09 14 06 A5  E3 8B 72 7B   [msg]
   After CAM: 3E 4F 40 73  D1 31 E9 B8  02 C8 99 BC  FD AC 19 4B
   MIC tag  : 3E 4F 40 73  D1 31 E9 B8
   CTR Start: 01 00 0F 85  CD 99 5C 97  B1 60 B6 A3  1C 1C 00 01
   CTR[0001]: 04 6F 42 2C  8F 52 FB 9B  06 A3 3B 9F  B7 F0 A6 00
   CTR[0002]: 34 76 51 DB  89 10 FB E6  73 E8 56 6E  DB 66 47 5D
   CTR[MIC ]: 9F EC 93 6C  5C 7A AD 0F
   Total packet length =   41. [Encrypted]
              24 AA 1B F9  A5 CD 87 61  82 A2 50 74  22 2A D6 32
              FA 31 D6 AF  97 0C 34 5F  7E 77 CA 3B  D0 DC 25 B3
              40 A1 A3 D3  1F 8D 4B 44  B7



Kato & Kanda            Expires December 27, 2007              [Page 29]

Internet-Draft  The Additional Modes of Camellia in IPsec      June 2007


   =============== Packet Vector #19 ==================
   CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
   Nonce =    00 C2 9B 2C  AA C4 CD B1  60 B6 A3 1C  1C
   Total packet length =   31. [Input (8 cleartext header octets)]
              69 19 46 B9  CA 07 BE 87  07 01 35 A6  43 7C 9D B1
              20 CD 61 D8  F6 C3 9C 3E  A1 25 FD 95  A0 D2 3D
   CBC IV in: 61 00 C2 9B  2C AA C4 CD  B1 60 B6 A3  1C 1C 00 17
   CBC IV out:74 AD F8 04  05 2A 48 E7  46 97 38 D5  BA A1 27 79
   After xor: 74 A5 91 1D  43 93 82 E0  F8 10 38 D5  BA A1 27 79   [hdr]
   After CAM: BD C3 B1 41  1C 64 C8 B3  A9 DC 6A 94  78 97 88 E2
   After xor: BA C2 84 E7  5F 18 55 02  89 11 0B 4C  8E 54 14 DC   [msg]
   After CAM: 7D 6C 8A BF  AD 68 48 D8  C5 FB CD 1E  AF F2 44 99
   After xor: DC 49 77 2A  0D BA 75 D8  C5 FB CD 1E  AF F2 44 99   [msg]
   After CAM: 19 99 AB 92  5E 30 46 96  3D EF FB 1B  4C 87 F7 76
   MIC tag  : 19 99 AB 92  5E 30 46 96  3D EF
   CTR Start: 01 00 C2 9B  2C AA C4 CD  B1 60 B6 A3  1C 1C 00 01
   CTR[0001]: 02 B9 D4 1F  87 E0 60 E7  EF DE 6B 7E  D3 DE 5E D2
   CTR[0002]: 61 49 31 C5  2F 34 AA 47  A3 E4 D3 2C  0B 36 41 C6
   CTR[MIC ]: B9 9F C6 C5  96 7B AA 8E  1A 87
   Total packet length =   41. [Encrypted]
              69 19 46 B9  CA 07 BE 87  05 B8 E1 B9  C4 9C FD 56
              CF 13 0A A6  25 1D C2 EC  C0 6C CC 50  8F E6 97 A0
              06 6D 57 C8  4B EC 18 27  68

   =============== Packet Vector #20 ==================
   CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
   Nonce =    00 2C 6B 75  95 EE 62 B1  60 B6 A3 1C  1C
   Total packet length =   32. [Input (8 cleartext header octets)]
              D0 C5 4E CB  84 62 7D C4  C8 C0 88 0E  6C 63 6E 20
              09 3D D6 59  42 17 D2 E1  88 77 DB 26  4E 71 A5 CC
   CBC IV in: 61 00 2C 6B  75 95 EE 62  B1 60 B6 A3  1C 1C 00 18
   CBC IV out:35 A9 48 70  F9 B0 C7 85  FB 32 1A D1  3C 8C A4 9A
   After xor: 35 A1 98 B5  B7 7B 43 E7  86 F6 1A D1  3C 8C A4 9A   [hdr]
   After CAM: 0A 3C E3 0F  AC 09 DC 5C  00 10 5C 69  AC 19 F7 19
   After xor: C2 FC 6B 01  C0 6A B2 7C  09 2D 8A 30  EE 0E 25 F8   [msg]
   After CAM: 61 CD 80 D0  72 E6 84 E1  BF E1 4A 00  27 2A 4D 96
   After xor: E9 BA 5B F6  3C 97 21 2D  BF E1 4A 00  27 2A 4D 96   [msg]
   After CAM: E5 F9 F2 AB  47 FD 7B 8D  6F 72 F4 72  74 D7 69 BB
   MIC tag  : E5 F9 F2 AB  47 FD 7B 8D  6F 72
   CTR Start: 01 00 2C 6B  75 95 EE 62  B1 60 B6 A3  1C 1C 00 01
   CTR[0001]: 9C 0E 31 66  B2 81 58 31  5E 63 16 5A  9D BD CE 35
   CTR[0002]: 00 3E 66 D3  E0 5F 7E A7  EF C8 9A 5F  DD 39 E3 54
   CTR[MIC ]: 9A 5E 87 1A  17 10 38 0E  AA DB
   Total packet length =   42. [Encrypted]
              D0 C5 4E CB  84 62 7D C4  54 CE B9 68  DE E2 36 11
              57 5E C0 03  DF AA 1C D4  88 49 BD F5  AE 2E DB 6B
              7F A7 75 B1  50 ED 43 83  C5 A9




Kato & Kanda            Expires December 27, 2007              [Page 30]

Internet-Draft  The Additional Modes of Camellia in IPsec      June 2007


   =============== Packet Vector #21 ==================
   CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
   Nonce =    00 C5 3C D4  C2 AA 24 B1  60 B6 A3 1C  1C
   Total packet length =   33. [Input (8 cleartext header octets)]
              E2 85 E0 E4  80 8C DA 3D  F7 5D AA 07  10 C4 E6 42
              97 79 4D C2  B7 D2 A2 07  57 B1 AA 4E  44 80 02 FF
              AB
   CBC IV in: 61 00 C5 3C  D4 C2 AA 24  B1 60 B6 A3  1C 1C 00 19
   CBC IV out:2A 3C 23 B2  43 F5 1C 35  F7 79 5A CB  3B 20 21 2F
   After xor: 2A 34 C1 37  A3 11 9C B9  2D 44 5A CB  3B 20 21 2F   [hdr]
   After CAM: A1 7E AD 4C  EE AB 51 21  1D 2A 32 F2  D4 45 A6 D6
   After xor: 56 23 07 4B  FE 6F B7 63  8A 53 7F 30  63 97 04 D1   [msg]
   After CAM: A9 A1 32 55  8F C6 9B 98  A9 CC 23 96  FE CA 84 EB
   After xor: FE 10 98 1B  CB 46 99 67  02 CC 23 96  FE CA 84 EB   [msg]
   After CAM: 6A 5E 04 42  D1 A5 7E 17  9A 6C 8B 56  F7 19 80 C5
   MIC tag  : 6A 5E 04 42  D1 A5 7E 17  9A 6C
   CTR Start: 01 00 C5 3C  D4 C2 AA 24  B1 60 B6 A3  1C 1C 00 01
   CTR[0001]: 46 1D EF 41  AF A2 94 52  5D 51 AE CB  04 49 74 CD
   CTR[0002]: 29 2E 62 66  1B 66 9A 2B  97 72 6B 77  32 A8 DC 35
   CTR[MIC ]: B8 54 06 A2  6C 6F 93 37  8A BF
   Total packet length =   43. [Encrypted]
              E2 85 E0 E4  80 8C DA 3D  B1 40 45 46  BF 66 72 10
              CA 28 E3 09  B3 9B D6 CA  7E 9F C8 28  5F E6 98 D4
              3C D2 0A 02  E0 BD CA ED  20 10 D3

   =============== Packet Vector #22 ==================
   CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
   Nonce =    00 BE E9 26  7F BA DC B1  60 B6 A3 1C  1C
   Total packet length =   31. [Input (12 cleartext header octets)]
              6C AE F9 94  11 41 57 0D  7C 81 34 05  C2 38 82 2F
              AC 5F 98 FF  92 94 05 B0  AD 12 7A 4E  41 85 4E
   CBC IV in: 61 00 BE E9  26 7F BA DC  B1 60 B6 A3  1C 1C 00 13
   CBC IV out:20 60 6A D1  E1 A0 84 52  2F A3 8B F4  88 1D D6 8B
   After xor: 20 6C 06 7F  18 34 95 13  78 AE F7 75  BC 18 D6 8B   [hdr]
   After CAM: 71 FD FF E7  D9 C8 95 75  D3 EC 0B 7E  7B 8B BE E7
   After xor: B3 C5 7D C8  75 97 0D 8A  41 78 0E CE  D6 99 C4 A9   [msg]
   After CAM: CA AD 93 9C  59 BA 40 AA  1A 0B 88 1B  EE 3D 3C 65
   After xor: 8B 28 DD 9C  59 BA 40 AA  1A 0B 88 1B  EE 3D 3C 65   [msg]
   After CAM: DC 48 8F AA  9C 75 E7 03  17 56 C2 C7  48 48 8D 1B
   MIC tag  : DC 48 8F AA  9C 75 E7 03  17 56
   CTR Start: 01 00 BE E9  26 7F BA DC  B1 60 B6 A3  1C 1C 00 01
   CTR[0001]: 56 F0 17 B3  BD 09 02 D6  EA A5 A2 91  AD 4A 2D E5
   CTR[0002]: 20 3D 34 21  EF 5B F8 FC  7B 21 5C 76  7B A5 21 A6
   CTR[MIC ]: F1 A2 86 9C  2A 9E B8 61  48 0B
   Total packet length =   41. [Encrypted]
              6C AE F9 94  11 41 57 0D  7C 81 34 05  94 C8 95 9C
              11 56 9A 29  78 31 A7 21  00 58 57 AB  61 B8 7A 2D
              EA 09 36 B6  EB 5F 62 5F  5D



Kato & Kanda            Expires December 27, 2007              [Page 31]

Internet-Draft value in the counter block.

   Camellia-CCM with a 128-bit key
      The Additional Modes of KEYMAT requested for each Camellia-CCM key is 19 octets.  The
      first 16 octets are the 128-bit Camellia key, and the remaining
      three octets are used as the salt value in IPsec      June 2007


   =============== Packet Vector #23 ==================
   CAM Key:   D7 5C the counter block.

   Camellia-CCM with a 192-bit key
      The KEYMAT requested for each Camellia-CCM key is 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
   Nonce =    00 DF A8 B1  24 50 07 B1  60 B6 A3 1C  1C
   Total packet length =   32. [Input (12 cleartext header octets)]
              36 A5 2C F1  6B 19 A2 03  7A B7 01 1E  4D BF 3E 77
              4A D2 45 E5  D5 89 1F 9D  1C 32 A0 AE  02 2C 85 D7
   CBC IV in: 61 00 DF A8  B1 24 50 07  B1 60 B6 A3  1C 1C 00 14
   CBC IV out:78 FD B6 AF  61 9E 1C 8D  82 41 17 A8  73 60 1B 70
   After xor: 78 F1 80 0A  4D 6F 77 94  20 42 6D 1F  72 7E 1B 70   [hdr]
   After CAM: 62 2E 28 65  92 43 DB 82  88 79 09 1E  A7 24 54 67
   After xor: 2F 91 16 12  D8 91 9E 67  5D F0 16 83  BB 16 F4 C9   [msg]
   After CAM: 95 0E 52 08  FF 16 70 8C  1E D9 BB 06  3E 1E 41 CF
   After xor: 97 22 D7 DF  FF 16 70 8C  1E D9 BB 06  3E 1E 41 CF   [msg]
   After CAM: BA CD 51 FC  77 F4 02 8D  47 D5 7D 54  7D 46 33 4B
   MIC tag  : BA CD 51 FC  77 F4 02 8D  47 D5
   CTR Start: 01 00 DF A8  B1 octets.  The
      first 24 50 07  B1 60 B6 A3  1C 1C 00 01
   CTR[0001]: 15 D6 DD DD  98 96 39 91 octets are the 192-bit Camellia key, and the remaining
      three octets are used as the salt value in the counter block.

   Camellia-CCM with a 256-bit key
      The KEYMAT requested for each Camellia-CCM key is 35 75 1A 64  B8 D8 D4 F9
   CTR[0002]: 7D 61 6D 1D  EB 92 00 2B  6F FA AB 53  BC AF 69 89
   CTR[MIC ]: 33 E9 27 BE  E1 59 06 9C  DB octets.  The
      first 32
   Total packet length =   42. [Encrypted]
              36 A5 2C F1  6B 19 A2 03  7A B7 01 1E  58 69 E3 AA
              D2 44 7C 74  E0 FC 05 F9  A4 EA 74 57  7F 4D E8 CA
              89 24 76 42  96 AD 04 11  9C E7

   =============== Packet Vector #24 ==================
   CAM Key:   D7 5C 27 78  07 8C A9 3D  97 1F 96 FD  E7 20 F4 CD
   Nonce =    00 3B 8F D8  D3 A9 37 B1  60 B6 A3 1C  1C
   Total packet length =   33. [Input (12 cleartext header octets)]
              A4 D4 99 F7  84 19 72 8C  19 17 8B 0C  9D C9 ED AE
              2F F5 DF 86  36 E8 C6 DE  0E ED 55 F7  86 7E 33 33
              7D
   CBC IV in: 61 00 3B 8F  D8 D3 A9 37  B1 60 B6 A3  1C 1C 00 15
   CBC IV out:84 E6 CF DD  6A 37 68 5D  E6 71 AD 54  B3 BE FE B9
   After xor: 84 EA 6B 09  F3 C0 EC 44  94 FD B4 43  38 B2 FE B9   [hdr]
   After CAM: C5 0F A0 62  20 18 F1 21  0E BC 3D 2E  47 B7 B8 C3
   After xor: 58 C6 4D CC  0F ED 2E A7  38 54 FB F0  49 5A ED 34   [msg]
   After CAM: C4 6F 6D C3  17 3C 2A 7A  81 FC 2D DA  7F B7 C6 60
   After xor: 42 11 5E F0  6A 3C 2A 7A  81 FC 2D DA  7F B7 C6 60   [msg]
   After CAM: DF AB 2E 76  B0 67 50 B3  7C DD 9A AC  F3 79 17 71
   MIC tag  : DF AB 2E 76  B0 67 50 B3  7C DD
   CTR Start: 01 00 3B 8F  D8 D3 A9 37  B1 60 B6 A3  1C 1C 00 01
   CTR[0001]: D6 D0 6C F8  16 CE D0 F1  A0 E0 AC 71  BA B9 AD 34
   CTR[0002]: 76 4A FF 9A  1B F8 55 1F  68 54 39 0A  EE 37 24 28
   CTR[MIC ]: 4B F4 31 B8  17 86 4B 5D  16 F2
   Total packet length =   43. [Encrypted]
              A4 D4 99 F7  84 19 72 8C  19 17 8B 0C  4B 19 81 56
              39 3B 0F 77  96 08 6A AF  B4 54 F8 C3  F0 34 CC A9
              66 94 5F 1F  CE A7 E1 1B  EE 6A 2F octets are the 256-bit Camellia key, and the remaining
      three octets are used as the salt value in the counter block.



























Kato & Kanda              Expires December 27, 2007 May 19, 2008                 [Page 32] 18]

Internet-Draft  The Additional Modes of Camellia in IPsec      June  November 2007


7.


6.  Security Considerations

   Implementations are encouraged to use the largest key sizes they can,
   taking into account performance considerations for their particular
   hardware and software configuration.  Note that encryption
   necessarily affects both sides of a secure channel, so such
   consideration must take into account not only the client side, but
   also the server.  However, a key size of 128 bits is considered
   secure for the foreseeable future.

   Camellia-CTR and Camellia-CCM employs counter (CTR) mode for
   confidentiality.  If a counter value is ever used for more that one
   packet with the same key, then the same key stream will be used to
   encrypt both packets, and the confidentiality guarantees are voided.

   What happens if the encryptor XORs the same key stream with two
   different packet plaintexts?  Suppose two packets are defined by two
   plaintext byte sequences P1, P2, P3 and Q1, Q2, Q3, then both are
   encrypted with key stream K1, K2, K3.  The two corresponding
   ciphertexts are:

         (P1 XOR K1), (P2 XOR K2), (P3 XOR K3)

         (Q1 XOR K1), (Q2 XOR K2), (Q3 XOR K3)


   If both of these two ciphertext streams are exposed to an attacker,
   then a catastrophic failure of confidentiality results, because:

         (P1 XOR K1) XOR (Q1 XOR K1) = P1 XOR Q1
         (P2 XOR K2) XOR (Q2 XOR K2) = P2 XOR Q2
         (P3 XOR K3) XOR (Q3 XOR K3) = P3 XOR Q3

   Once the attacker obtains the two plaintexts XORed together, it is
   relatively straightforward to separate them.  Thus, using any stream
   cipher, including Camellia-CTR, to encrypt two plaintexts under the
   same key stream leaks the plaintext.

   Therefore, Camellia-CTR and Camellia-CCM should not be used with
   statically configured keys.  Extraordinary measures would be needed
   to prevent the reuse of a counter block value with the static key
   across power cycles.  To be safe, implementations MUST use fresh keys
   with Camellia-CTR and Camellia-CCM.  The IKE [2] and IKEv2 [8] [6] protocol can be
   used to establish fresh keys.

   When IKE is used to establish fresh keys between two peer entities,
   separate keys are established for the two traffic flows.  If a
   different mechanism is used to establish fresh keys, one that



Kato & Kanda              Expires May 19, 2008                 [Page 19]

Internet-Draft  The Additional Modes of Camellia in IPsec  November 2007


   establishes only a single key to encrypt packets, then there is a
   high probability that the peers will select the same IV values for
   some packets.  Thus, to avoid counter block collisions, ESP
   implementations that permit use of the same key for encrypting and
   decrypting packets with the same peer MUST ensure that the two peers
   assign different salt values to the security association (SA). SA.

   Regardless of the mode used, Camellia with a 128-bit key is



Kato & Kanda            Expires December 27, 2007              [Page 33]

Internet-Draft  The Additional Modes of Camellia in IPsec      June 2007
   vulnerable to the birthday attack after 2^64 blocks are encrypted
   with a single key.  Since ESP with Extended Sequence Numbers allows
   for up to 2^64 packets in a single SA, there is real potential for
   more than 2^64 blocks to be encrypted with one key.  Implementations
   SHOULD generate a fresh key before 2^64 blocks are encrypted with the
   same key.  Note that ESP with 32-bit Sequence Numbers will not exceed
   2^64 blocks even if all of the packets are maximum-length Jumbograms.

   No security problem has been found on Camellia [10], [9].


































Kato & Kanda              Expires December 27, 2007 May 19, 2008                 [Page 34] 20]

Internet-Draft  The Additional Modes of Camellia in IPsec      June  November 2007


8.


7.  IANA Considerations

   IANA has assigned three ESP transform numbers five IKEv2 parameters for use with Camellia-
   CTR Camellia-CBC,
   Camellia-CTR and Camellia-CCM: Camellia-CCM for Transform Type 1 (Encryption
   Algorithm):

         <TBD1> for Camellia-CTR with and explict IV; ENCR_CAMELLIA_CBC;
         <TBD2> for Camellia-CCM ENCR_CAMELLIA_CTR;
         <TBD3> for ENCR_CAMELLIA_CCM with an 8-octet ICV;
         <TBD3>
         <TBD4> for Camellia-CCM ENCR_CAMELLIA_CCM with a 12-octet ICV; and
         <TBD4>
         <TBD5> for Camellia-CCM ENCR_CAMELLIA_CCM with a 16-octet ICV.








































Kato & Kanda              Expires December 27, 2007 May 19, 2008                 [Page 35] 21]

Internet-Draft  The Additional Modes of Camellia in IPsec      June 2007


9.  References

9.1.  Normative

   [1]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
         Levels", BCP 14, RFC 2119, March 1997.

   [2]   Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)",
         RFC 2409, November 1998.

   [3]   Thayer, R., Doraswamy, N., and R. Glenn, "IP Security Document
         Roadmap", RFC 2411,  November 1998.

   [4]   Whiting, D., Housley, R., and N. Ferguson, "Counter with CBC-
         MAC (CCM)", RFC 3610, September 2003.

   [5]   Matsui, M., Nakajima, J., and S. Moriai, "A Description of the
         Camellia Encryption Algorithm", RFC 3713, April 2004.

   [6]   Kent, S. and K. Seo, "Security Architecture for the Internet
         Protocol", RFC 4301, December 2005.

   [7]   Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303,
         December 2005.

   [8]   Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",
         RFC 4306, December 2005.

   [9]   Dworkin, M., "Recommendation for Block Cipher Modes of
         Operation - Methods 2007


8.  Acknowledgements

   We thank Tim Polk and Techniques", NIST Special
         Publication 800-38A, November 2001, <http://csrc.nist.gov/
         publications/nistpubs/800-38a/sp800-38a.pdf>.

9.2.  Informative

   [10]  Piper, D., "The Internet IP Security Domain of Interpretation Tero Kivinen for ISAKMP", RFC 2407, November 1998.

   [11]  Borman, D., Deering, S., and R. Hinden, "IPv6 Jumbograms",
         RFC 2675, August 1999.

   [12]  Moriai, S. and A. Kato, "Use their initial review of the Camellia Encryption
         Algorithm in Cryptographic Message Syntax (CMS)", RFC 3657,
         January 2004.

   [13]  Housley, R., "Using Advanced Encryption Standard (AES) Counter
         Mode With IPsec Encapsulating Security Payload (ESP)",
         RFC 3686, January 2004. this
   document.















































Kato & Kanda            Expires December 27, 2007              Expires May 19, 2008                 [Page 36] 22]

Internet-Draft  The Additional Modes of Camellia in IPsec      June  November 2007


   [14]  Eastlake, D., "Additional XML Security Uniform Resource
         Identifiers (URIs)", RFC 4051, April 2005.

   [15]  Moriai, S., Kato, A.,


9.  References

9.1.  Normative

   [1]   Matsui, M., Nakajima, J., and M. Kanda, "Addition S. Moriai, "A Description of the
         Camellia
         Cipher Suites to Transport Layer Security (TLS)", RFC 4132,
         July 2005.

   [16]  Housley, R., "Using Advanced Encryption Standard (AES) CCM Mode
         with IPsec Algorithm", RFC 3713, April 2004.

   [2]   Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4309, 4303,
         December 2005.

   [17]  Kato, A., Moriai,

   [3]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
         Levels", BCP 14, RFC 2119, March 1997.

   [4]   Dworkin, M., "Recommendation for Block Cipher Modes of
         Operation - Methods and Techniques", NIST Special
         Publication 800-38A, November 2001, <http://csrc.nist.gov/
         publications/nistpubs/800-38a/sp800-38a.pdf>.

   [5]   Kato, A. and M. Kanda, "The Camellia Cipher
         Algorithm "Camellia Counter mode and Its Use With IPsec", Camellia
         Counter with CBC Mac mode algorithms",
         draft-kato-camellia-ctrccm-00 (work in progress),
         November 2007.

   [6]   Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",
         RFC 4312, 4306, December 2005.

   [18]

9.2.  Informative

   [7]   National Institute of Standards and Technology, "Advanced
         Encryption Standard (AES)", FIPS PUB 197, November 2001,
         <http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf>.

   [19]

   [8]   International Organization for Standardization, "Information
         technology - Security techniques - Encryption algorithms - Part
         3: Block ciphers", ISO/IEC 18033-3, July 2005.

   [9]   "The NESSIE project (New European Schemes for Signatures,
         Integrity and Encryption)",
         <http://www.cosic.esat.kuleuven.ac.be/nessie/>.

   [20]

   [10]  Information-technology Promotion Agency (IPA), "Cryptography
         Research and Evaluation Committees",
         <http://www.ipa.go.jp/security/enc/CRYPTREC/index-e.html>.

   [21]  International Organization

   [11]  Kent, S. and K. Seo, "Security Architecture for Standardization, "Information
         technology - Security techniques - Encryption algorithms - Part
         3: Block ciphers", ISO/IEC 18033-3, July the Internet
         Protocol", RFC 4301, December 2005.

   [22]

   [12]  Thayer, R., Doraswamy, N., and R. Glenn, "IP Security Document



Kato & Kanda              Expires May 19, 2008                 [Page 23]

Internet-Draft  The Additional Modes of Camellia in IPsec  November 2007


         Roadmap", RFC 2411, November 1998.

   [13]  Kato, A., Kanda, M., and T. Iwata, "The Camellia-CMAC-96 and
         Camellia-CMAC-PRF-128 Algorithms and Its Use with IPsec",
         draft-kato-ipsec-camellia-cmac96and128-00
         draft-kato-ipsec-camellia-cmac96and128-01 (work in progress),
         February
         November 2007.

   [14]  Borman, D., Deering, S., and R. Hinden, "IPv6 Jumbograms",
         RFC 2675, August 1999.










































Kato & Kanda              Expires December 27, 2007 May 19, 2008                 [Page 37] 24]

Internet-Draft  The Additional Modes of Camellia in IPsec      June  November 2007


URIs

   [23]

   [15]  <http://info.isl.ntt.co.jp/crypt/eng/camellia/source.html>

   [24]

   [16]  <http://info.isl.ntt.co.jp/camellia/>














































Kato & Kanda              Expires December 27, 2007 May 19, 2008                 [Page 38] 25]

Internet-Draft  The Additional Modes of Camellia in IPsec      June  November 2007


Authors' Addresses

   Akihiro Kato
   NTT Software Corporation

   Phone: +81-45-212-7934 +81-45-212-7577
   Fax:   +81-45-212-7800
   Email: akato@po.ntts.co.jp


   Masayuki Kanda
   Nippon Telegraph and Telephone Corporation

   Phone: +81-422-59-3456
   Fax:   +81-422-59-4015
   Email: kanda@isl.ntt.co.jp kanda.masayuki@lab.ntt.co.jp



































Kato & Kanda              Expires December 27, 2007 May 19, 2008                 [Page 39] 26]

Internet-Draft  The Additional Modes of Camellia in IPsec      June  November 2007


Full Copyright Statement

   Copyright (C) The IETF Trust (2007).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Acknowledgment

   Funding for the RFC Editor function is provided by the IETF
   Administrative Support Activity (IASA).





Kato & Kanda              Expires December 27, 2007 May 19, 2008                 [Page 40] 27]


----