WDIFF

draft-kato-ipsec-camellia-modes-07.txt --> draft-kato-ipsec-camellia-modes-08.txt

Network Working Group A. Kato
Internet-Draft NTT Software Corporation
Obsoletes: 4312 (if approved) M. Kanda
Intended status: Standards Track M. Kanda
Expires: December 29, 2008 Nippon Telegraph and Telephone
Expires: September 20, 2008
Corporation
March 19,
June 27, 2008

The Additional

Modes of Operation for Camellia and Its for Use With IPsec
draft-kato-ipsec-camellia-modes-07
draft-kato-ipsec-camellia-modes-08

Status of this Memo

By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.

Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.

Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."

The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.

The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.

This Internet-Draft will expire on September 20, December 29, 2008.

Kato & Kanda Expires September 20, December 29, 2008 [Page 1]

Internet-Draft The Additional Modes of Operation for Camellia in for IPsec March June 2008

Abstract

This document describes the use of the Camellia block cipher
algorithm in Cipher Block Chaining (CBC) mode, Counter (CTR) mode mode,
and Counter with CBC-MAC (CCM) mode, as an IPsec IKEv2 and Encapsulating
Security Payload (ESP) mechanism to provide confidentiality, data
origin authentication, and connectionless integrity.

Table of Contents

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 4
2. The Camellia Cipher Algorithm . . . . . . . . . . . . . . . . 5
2.1. Key Size . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2. Weak Keys . . . . . . . . . . . . . . . . . . . . . . . . 5
2.3. Block Size and Padding . . . . . . . . . . . . . . . . . . 5
2.4. Performance . . . . . . . . . . . . . . . . . . . . . . . 5
3. Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 6
3.1. CBC . . . . . . . . . Cipher Block Chaining . . . . . . . . . . . . . . . . . . 7 6
3.2. Counter . . . . . . . . . . . . . . . . . . . . . . . . . 7 6
3.3. Counter with CBC-MAC . . . . . . . . . . . . . . . . . . . 8 7
4. ESP Payload . . . . . . . . . . . . . . . . . . . . . . . . . 11 9
4.1. CBC . . . . . . . . . Cipher Block Chaining . . . . . . . . . . . . . . . . . . 11 9
4.1.1. ESP Algorithmic Interactions . . . . . . . . . . . . . 11 9
4.2. Counter . . . . . . . . . . . . . . . . . . . . . . . . . 11 9
4.2.1. Counter Block Format . . . . . . . . . . . . . . . . . 12 10
4.2.2. Keying Material . . . . . . . . . . . . . . . . . . . 13 11
4.3. Counter with CBC-MAC . . . . . . . . . . . . . . . . . . . 14 12
4.3.1. Initialization Vector (IV) . . . . . . . . . . . . . . 14 . . 12
4.3.2. Encrypted Payload . . . . . . . . . . . . . . . . . . 14 12
4.3.3. Authentication Data . . . . . . . . . . . . . . . . . 15 13
4.3.4. Nonce Format . . . . . . . . . . . . . . . . . . . . . 15 13
4.3.5. AAD Construction . . . . . . . . . . . . . . . . . . . 16 14
5. IKE IKEv2 Conventions . . . . . . . . . . . . . . . . . . . . . . . 17 15
5.1. Transform Type 1 Keying Material . . . . . . . . . . . . . . . . . . . . . 17 15
5.2. Key Length Attribute Transform Type 1 . . . . . . . . . . . . . . . . . . . 17
5.3. Keying Material . . 16
5.3. Key Length Attribute . . . . . . . . . . . . . . . . . . . 17 16
6. Security Considerations . . . . . . . . . . . . . . . . . . . 19 17
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 19
8. Acknowledgements Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 22 20
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23 21
9.1. Normative . . . . . . . . . . . . . . . . . . . . . . . . 23 21
9.2. Informative . . . . . . . . . . . . . . . . . . . . . . . 23 21
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 26 23
Intellectual Property and Copyright Statements . . . . . . . . . . 27 24

Kato & Kanda Expires September 20, December 29, 2008 [Page 2]

Internet-Draft The Additional Modes of Operation for Camellia in for IPsec March June 2008

1. Introduction

This document describes the use of the Camellia block cipher
algorithm in Cipher Block Chaining mode (CBC), (CBC) mode, Counter (CTR) mode mode,
and Counter with CBC-MAC (CCM) mode, as an IPsec IKEv2 [1] and
Encapsulating Security Payload (ESP) [2] mechanism to provide
confidentiality, data origin authentication, and connectionless
integrity.

Camellia is a symmetric cipher with a Feistel structure. Camellia
was developed jointly by NTT and Mitsubishi Electric Corporation in
2000. It was designed to withstand all known cryptanalytic attacks,
and it has been scrutinized by worldwide cryptographic experts.
Camellia is suitable for implementation in software and hardware,
offering encryption speed in software and hardware implementations
that is comparable to Advanced Encryption Standard (AES) [5]. [9].

Camellia supports 128-bit block size and 128-, 192-, and 256-bit key
lengths, i.e., the same interface specifications as the AES.
Therefore, it is easy to implement Camellia based algorithms by
replacing the AES block of AES based algorithms to with a Camellia
block.

Camellia is has been adopted for the as one of the three ISO/IEC international
standard cipher [6] as 128bit [10] 128-bit block cipher ciphers (Camellia, AES AES, and SEED).
Camellia was selected as a recommended cryptographic primitive by the
EU NESSIE (New European Schemes for Signatures, Integrity and
Encryption) project [7] [11] and was included in the list of
cryptographic techniques for Japanese e-Government systems that was
selected by the
Japan Japanese CRYPTREC (Cryptography Research and
Evaluation Committees) [8]. [12].

Since optimized source code is provided by under several open source
lisences [15],
licenses [13], Camellia is also adopted by several open source
projects (Openssl, (OpenSSL, FreeBSD, Linux Linux, and Firefox Gran Paradiso).

The algorithm specification and object identifiers are described in
[9].
[3].

The Camellia homepage [16] web site [13] contains a wealth of information about
Camellia, including detailed specification, security analysis,
performance figures, reference implementation, optimized
implementation, test vectors, and intellectual property information.

The remainder of this document specifies the additional use of various modes of
operation for Camellia within the context of IPsec ESP. For further
information on how the various pieces of IPsec in general and ESP in
particular fit together to provide security services, please refer to [10] [1],

Kato & Kanda Expires December 29, 2008 [Page 3]

Internet-Draft Modes of Operation for Camellia for IPsec June 2008

[14] and [11]. [2].

1.1. Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this

Kato & Kanda Expires September 20, 2008 [Page 3]

Internet-Draft The Additional Modes of Camellia in IPsec March 2008
document are to be interpreted as described in [2]. [4].

Kato & Kanda Expires September 20, December 29, 2008 [Page 4]

Internet-Draft The Additional Modes of Operation for Camellia in for IPsec March June 2008

2. The Camellia Cipher Algorithm

All symmetric block cipher algorithms share common characteristics
and variables, including mode, key size, weak keys, block size, and
rounds. The following sections contain descriptions of the relevant
characteristics of Camellia.

The algorithm specification and object identifiers are described in
[9].

2.1. Key Size

Camellia supports three key sizes: 128 bits, 192 bits, and 256 bits.
The default key size is 128 bits, and all implementations MUST
support this key size. Implementations MAY also support key sizes of
192 bits and 256 bits.

Camellia uses a different number of rounds for each of the defined
key sizes. When a 128-bit key is used, implementations MUST use 18
rounds. When a 192-bit key is used, implementations MUST use 24
rounds. When a 256-bit key is used, implementations MUST use 24
rounds.

2.2. Weak Keys

At the time of writing this document there are no known weak keys for
Camellia.

2.3. Block Size and Padding

Camellia uses a block size of sixteen 16 octets (128 bits).

Padding requirements are described;

a) Camellia Padding requirement is required by the algorithms to maintain a 16-octet (128-
bit) block size. Padding MUST be added, as specified in [1], such
that the data to be encrypted (which includes the ESP Pad Length and
Next Header fields) has a length that [2].
b) Camellia-CBC Padding requirement is a multiple of 16 octets.

Because of the algorithm specific padding requirement, no additional
padding specified in [2].
c) Camellia-CCM Padding requirement is required to ensure that the ciphertext terminates on a
4-octet boundary (i.e. maintaining a 16-octet block size guarantees
that the ESP Pad Length and Next Header fields will be right aligned
within a 4-octet word). Additional padding MAY be included, as specified in [1], as long as the 16-octet block size [5].
d) ESP Padding requirement is maintained. specified in [2].

2.4. Performance

Performance figures of for Camellia are available at
<http://info.isl.ntt.co.jp/crypt/camellia/>. [13]. The NESSIE
project has

Kato & Kanda Expires September 20, 2008 [Page 5]

Internet-Draft The Additional Modes of Camellia in IPsec March 2008 reported on the performance of Optimized Implementations optimized implementations
independently [7]. [11].

Kato & Kanda Expires September 20, December 29, 2008 [Page 6] 5]

Internet-Draft The Additional Modes of Operation for Camellia in for IPsec March June 2008

3. Modes

3.1. CBC

NIST has defined seven modes of operation for AES and other FIPS-
approved ciphers : CBC (Cipher Block Chaining), ECB (Electronic
CodeBook), CFB (Cipher FeedBack), OFB (Output FeedBack), CTR
(Counter), CMAC (Cipher-based MAC) MAC), and CCM (CBC (Counter with CBC MAC).

3.1. Cipher Block Chaining

The CBC mode is well defined and well understood for symmetric
ciphers, and it is currently used for all other ESP ciphers. This
document specifies the use of the Camellia cipher in CBC mode within
ESP. This mode
requires MUST have an Initialization Vector (IV) size that is
the same as the block size. Use of a randomly generated IV prevents
generation of identical cipher text ciphertext from packets that have identical
data spanning the first block of the cipher algorithm's block size.

The CBC IV is XOR'd XORed with the first plaintext block before it is
encrypted. Then, for successive blocks, the previous cipher text ciphertext
block is XOR'd XORed with the current plain text before it is encrypted.
More information on CBC mode can be obtained in [3]. [6].

3.2. Counter

Camellia-CTR [12] [15] requires the encryptor to generate a unique per-
packet value, and communicate this value to the decryptor. This
specification calls this per-packet value an initialization vector
(IV). IV. The same IV and key
combination MUST NOT be used more than once. The encryptor can
generate the IV in any manner that ensures uniqueness. Common
approaches to IV generation include incrementing a counter for each
packet and linear feedback shift registers (LFSRs).

This specification calls for the use of a nonce for additional
protection against precomputation attacks. The nonce value need not
to be secret. However, the nonce MUST be unpredictable prior to the
establishment of the IPsec Security Association (SA) that is making
use using of
Camellia-CTR.

Camellia-CTR has many properties that make it an attractive
encryption algorithm for use in high-speed networking. Camellia-CTR
uses the Camellia block cipher to create behave like a stream cipher. Data
is encrypted and decrypted by XORing with the key stream produced by
Camellia encrypting sequential counter block values. Camellia-CTR is
easy to implement, and Camellia-CTR can be pipelined and
parallelized. Camellia-CTR also supports key stream precomputation.

Pipelining is possible because Camellia has multiple rounds (see
Section 2.). A hardware implementation (and some software

Kato & Kanda Expires September 20, 2008 [Page 7]

Internet-Draft The Additional Modes of Camellia in IPsec March 2008

implementations) can create a pipeline by unwinding the loop implied
by this round structure. For example, after a 16-octet block has
been input, one round later another 16-octet block can be input, and
so on. In Camellia-CTR, these inputs are the sequential counter
block values used to generate the key stream.

Multiple independent Camellia encrypt implementations can also be
used to improve performance. For example, one could use two Camellia
encrypt implementations in parallel, to process a sequence of counter
block values, doubling the effective throughput.

The sender can precompute the key stream. Since the key stream does
not depend on any data in the packet, the key stream can be
precomputed once the nonce and IV are assigned. This precomputation
can reduce packet latency. The receiver cannot perform similar
precomputation because the IV will not be known before the packet
arrives.

When used correctly, Camellia-CTR provides a high level of
confidentiality. Unfortunately, Camellia-CTR is easy to use

Kato & Kanda Expires December 29, 2008 [Page 6]

Internet-Draft Modes of Operation for Camellia for IPsec June 2008

incorrectly. Being a stream cipher, any reuse of the per-packet
value, called the IV, with the same nonce and key is catastrophic.
An IV collision immediately leaks information about the plaintext in
both packets. For this reason, it is inappropriate to use this mode
of operation with static keys. Extraordinary measures would be
needed to prevent reuse of an IV value with the static key across
power cycles. To be safe, implementations MUST use fresh keys with
Camellia-CTR. The Internet Key Exchange (IKEv2) [4] [1] protocol can be
used to establish fresh keys. IKE can also provide the nonce value.

With Camellia-CTR, CTR mode, it is trivial to use a valid ciphertext to forge other
(valid to the decryptor) ciphertexts. Thus, it is equally
catastrophic to use Camellia-CTR without a companion authentication
function. Implementations MUST use Camellia-CTR in conjunction with
an authentication function, such as Camellia-CMAC-96 [13].

More information and Test Vectors for Camellia-CTR can be obtained in
[12]. [16].

3.3. Counter with CBC-MAC

CCM is a generic authenticate-and-encrypt block cipher mode. In this
specification, CCM is used with the Camellia [12] [15] block cipher.

Camellia-CCM [12] [15] has two parameters:

Kato & Kanda Expires September 20, 2008 [Page 8]

Internet-Draft The Additional Modes of Camellia in IPsec March 2008

M M indicates the size of the integrity check value (ICV). CCM
defines values of 4, 6, 8, 10, 12, 14, and 16 octets; However, to
maintain alignment and provide adequate security, in IPsec ESP
only the values
that are a multiple of four 8, 12, and are at least eight 16 are permitted. Implementations MUST
support M values of 8 octets and 16 octets, and implementations
MAY support an M value of 12 octets.

L L indicates the size of the length field in octets. CCM defines
values of L between from 2 octets and to 8 octets. This specification only supports
L = 4. 4 for use with ESP. Implementations MUST support an L value
of 4 octets, which accommodates a full Jumbogram [14]; [17]; however,
the length includes all of the encrypted data, which also includes
the ESP Padding, Pad Length, and Next Header fields.

There are four inputs to CCM originator processing:

key
A single key is used to calculate the ICV using CBC-MAC and to
perform payload encryption using counter CTR mode. Camellia supports key
sizes of 128 bits, 192 bits, and 256 bits. The default key size
is 128 bits, and implementations MUST support this key size.
Implementations MAY also support key sizes of 192 bits and 256
bits.

Kato & Kanda Expires December 29, 2008 [Page 7]

Internet-Draft Modes of Operation for Camellia for IPsec June 2008

nonce
The size of the nonce depends on the value selected for the
parameter L. It is 15-L octets. Implementations MUST support a
nonce of 11 octets. The construction of the nonce is described in
Section 4.3.4.

payload
The payload of the ESP packet. The payload MUST NOT be longer
than 4,294,967,295 4,294,967, and 295 octets, which is the maximum size of a
Jumbogram [14]; [17]; however, the ESP Padding, Pad Length, and Next
Header fields are also part of the payload.

AAD
CCM provides data integrity and data origin authentication for
some data outside the payload. CCM does not allow additional
authenticated data (AAD) to be longer than
18,446,744,073,709,551,615 18,446,744,073,709,551,
and 615 octets. The ICV is computed from the ESP header, Payload,
and ESP trailer fields, which is significantly smaller than the
CCM-imposed limit. The construction of the AAD is described in
Section 4.3.5.

Camellia-CCM requires the encryptor to generate a unique per-packet
value and to communicate this value to the decryptor. This per-
packet value is one of the component parts of the nonce, and it is

Kato & Kanda Expires September 20, 2008 [Page 9]

Internet-Draft The Additional Modes of Camellia in IPsec March 2008
referred to as the initialization vector (IV). IV. The same IV and key combination MUST NOT be
used more than once. The encryptor can generate the IV in any manner
that ensures uniqueness. Common approaches to IV generation include
incrementing a counter for each packet and linear feedback shift registers (LFSRs). LFSRs.

Camellia-CCM employs counter CTR mode for encryption. As with any stream
cipher, reuse of the same IV value with the same key is catastrophic.
An IV collision immediately leaks information about the plaintext in
both packets. For this reason, it is inappropriate to use this CCM
with statically configured keys. Extraordinary measures would be
needed to prevent reuse of an IV value with the static key across
power cycles. To be safe, implementations MUST use fresh keys with
Camellia-CCM. The IKEv2 protocol [4] [1] can be used to establish fresh
keys.

More information and Test Vectors for Camellia-CCM can be obtained in
[12].

Kato & Kanda Expires September 20, December 29, 2008 [Page 10] 8]

Internet-Draft The Additional Modes of Operation for Camellia in for IPsec March June 2008

4. ESP Payload

4.1. CBC Cipher Block Chaining

The ESP payload for Camellia-CBC is made up of the IV followed by raw
cipher-text. the
ciphertext. Thus, the payload field, as defined in [1], [2], is broken
down according to the following diagram:

+---------------+---------------+---------------+---------------+
| |
+ Initialization Vector (16 octets) +
| |
+---------------+---------------+---------------+---------------+
| |
~ Encrypted Payload (variable length, a multiple of 16 octets) ~
| |
+---------------------------------------------------------------+

Figure 1: ESP Payload Encrypted with Camellia-CBC

The IV field MUST be the same size as the block size of the cipher
algorithm being used. The IV MUST be chosen at random, and MUST be
unpredictable.

Including the IV in each datagram ensures that each received datagram
can be decrypted, even when some datagrams are dropped or re-ordered
in transit.

To avoid CBC encryption of very similar plaintext blocks in different
packets, implementations MUST NOT use a counter or other low Hamming-
distance source for IVs.

4.1.1. ESP Algorithmic Interactions

Currently, there are no known issues regarding interactions between
the Camellia
Camellia-CBC and other aspects of ESP, such as the use of certain
authentication schemes.

4.2. Counter

The ESP payload for Camellia-CBC is made up of the IV followed by raw
cipher-text. bits. the
ciphertext. Figure 2 shows the format of the counter block. ESP Payload.

Kato & Kanda Expires September 20, December 29, 2008 [Page 11] 9]

Internet-Draft The Additional Modes of Operation for Camellia in for IPsec March June 2008

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Initialization Vector |
| (8 octets) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Encrypted Payload (variable) ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Authentication Data (variable) ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Figure 2: ESP Payload Encrypted with Camellia-CTR

The components of the counter block are as follows:

Initialization Vector
The Camellia-CTR IV field MUST be eight 8 octets. The IV MUST be chosen
by the encryptor in a manner that ensures that the same IV value
is used only once for a given key. The encryptor can generate the
IV in any manner that ensures uniqueness. Common approaches to IV
generation include incrementing a counter for each packet and linear feedback shift registers (LFSRs).
LFSRs. Including the IV in each packet ensures that the decryptor
can generate the key stream needed for decryption, even when some
packets are lost or reordered.

Encrypted Payload
The encrypted payload contains the ciphertext. Camellia-CTR mode
does not require plaintext padding. However, ESP does require
padding to 32-bit word-align the authentication data. The
padding, Pad Length, and the Next Header MUST be concatenated with
the plaintext before performing encryption, as described in [1]. [2].

Authentication Data
Since it is trivial to construct a forgery Camellia-CTR ciphertext
from a valid Camellia-CTR ciphertext, Camellia-CTR implementations
MUST employ a non-NULL ESP authentication method.
Camellia-CMAC-96 [13] [16] is a likely choice.

4.2.1. Counter Block Format

The Camellia-CTR counter block is 128 bits. Figure 3 shows the
format of the counter block.

Kato & Kanda Expires September 20, December 29, 2008 [Page 12] 10]

Internet-Draft The Additional Modes of Operation for Camellia in for IPsec March June 2008

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Initialization Vector (IV) |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Block Counter |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Figure 3: Counter Block Format

The components of the counter block are as follows:

Nonce
The Nonce field is 32 bits. As the name implies, the nonce is a
single use value. That is, a fresh nonce value MUST be assigned
for each SA. It MUST be assigned at the beginning establishment of the SA.
The nonce value need needs not to be secret, but it MUST be
unpredictable prior to the beginning establishment of the SA.

Initialization Vector
The IV field is 64 bits. As described in section 3.1, the IV MUST
be chosen by the encryptor in a manner that ensures that the same
IV value is used only once for a given key.

Block Counter
The block counter field is the least significant 32 bits of the
counter block. The block counter begins with the value of one,
and it is incremented to generate subsequent portions of the key
stream. The block counter is a 32-bit big-endian integer value.

Using the encryption process described in Section 3.2, this
construction permits each packet to consist of up to:

(2^32)-1 blocks = 4,294,967,295 4,294,967, and 295 blocks
= 68,719,476,720 68,719,476, and 720 octets

This construction can produce enough key stream for each packet
sufficient to handle any IPv6 jumbogram [14]. [17].

4.2.2. Keying Material

The minimum number of bits sent from the key exchange protocol to the
ESP algorithm must be greater than or equal to the key size.

The cipher's encryption and decryption key is taken from size plus the first
Nonce size.

Kato & Kanda Expires September 20, December 29, 2008 [Page 13] 11]

Internet-Draft The Additional Modes of Operation for Camellia in for IPsec March June 2008

The cipher's encryption and decryption key is taken from the first
128, 192, or 256 bits of the keying material. The Nonce is taken
from the next 32 bits of the keying material.

4.3. Counter with CBC-MAC

The ESP payload is composed of the IV followed by the ciphertext.
The payload field, as defined in [1], [2], is structured as shown in
Figure 4.

Figure 4: ESP Payload Encrypted with Camellia-CCM

4.3.1. Initialization Vector (IV)

The Camellia-CCM IV field MUST be eight 8 octets. The IV MUST be chosen by
the encryptor in a manner that ensures that the same IV value is used
only once for a given key. The encryptor can generate the IV in any
manner that ensures uniqueness. Common approaches to IV generation
include incrementing a counter for each packet and
linear feedback shift registers (LFSRs). LFSRs.

Including the IV in each packet ensures that the decryptor can
generate the key stream needed for decryption, even when some
datagrams are lost or reordered.

4.3.2. Encrypted Payload

The encrypted payload contains the ciphertext.

Camellia-CCM mode does not require plaintext padding. However, ESP does
require padding to 32-bit word-align the authentication data. The
Padding, Pad Length, and Next Header fields MUST be concatenated with
the plaintext before performing encryption, as described in [1]. [2].
When padding is required, it MUST be generated and checked in
accordance with the conventions specified in [1].

Kato & Kanda Expires September 20, December 29, 2008 [Page 14] 12]

Internet-Draft The Additional Modes of Operation for Camellia in for IPsec March June 2008

accordance with the conventions specified in [2].

4.3.3. Authentication Data

Camellia-CCM provides an encrypted ICV. The ICV provided by CCM is
carried in the Authentication Data fields field without further encryption.
Implementations MUST support ICV sizes of 8 octets and 16 octets.
Implementations MAY also support ICV 12 octets. a 12-octet ICV.

4.3.4. Nonce Format

Each packet conveys the IV that is necessary to construct the
sequence of counter blocks used by counter CTR mode to generate the key
stream. The Camellia counter block is 16 octets. One octet is used
for the CCM Flags, and 4 octets are used for the block counter, as
specified by the CCM L parameter. The remaining octets are the
nonce. These octets occupy the second through the twelfth octets in
the counter block. Figure 5 shows the format of the nonce.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Salt |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Initialization Vector |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Figure 5: Nonce Format of CCM

The components of the nonce are as follows:

Salt
The salt field is 24 bits. As the name implies, it contains an
unpredictable value. That is, a fresh salt value MUST be assinged
for each SA. It MUST be assigned at the beginning establishment of the SA.
The salt value need needs not to be secret, but it MUST NOT be
predictable prior to the beginning establishment of the SA.

Initialization Vector
The IV field is 64 bits. As described in Section 3.1, the IV MUST
be chosen by the encryptor in a manner that ensures that the same
IV value is used only once for a given key.

This construction permits each packet to consist of up to:

2^32 blocks = 4,294,967,296 blocks

Kato & Kanda Expires December 29, 2008 [Page 13]

Internet-Draft Modes of Operation for Camellia for IPsec June 2008

= 68,719,476,736 octets

This construction provides more key stream for each packet than is

Kato & Kanda Expires September 20, 2008 [Page 15]

Internet-Draft The Additional Modes of Camellia in IPsec March 2008
needed to handle any IPv6 Jumbogram [14]. [17].

4.3.5. AAD Construction

The data integrity and data origin authentication for the Security
Parameters Index (SPI) and (Extended) Sequence Number fields is
provided without encrypting them. Two formats are defined: one for
32-bit sequence numbers and one for 64-bit extended sequence numbers.
The format with 32-bit sequence numbers is shown in Figure 6, and the
format with 64-bit extended sequence numbers is shown in Figure 7.

Sequence Numbers are conveyed canonical in network byte order. Extended
Sequence Numbers are conveyed canonical network byte order, placing
the high-order 32 bits first and the low-order 32 bits second.
Canonical network (Network byte
order is fully described in Appendix B of RFC 791, Appendix
B. 791 [tbd]).

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SPI |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 32-bit Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Figure 6: AAD Format with 32-bit Sequence Number

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SPI |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 64-bit Extended Sequence Number |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Figure 7: AAD Format with 64-bit Sequence Number

Kato & Kanda Expires September 20, December 29, 2008 [Page 16] 14]

Internet-Draft The Additional Modes of Operation for Camellia in for IPsec March June 2008

5. IKE IKEv2 Conventions

This section describes the transform ID and conventions used to
generate keying material for use with ENCR_CAMELLIA_CBC,
ENCR_CAMELLIA_CTR and ENCR_CAMELLIA_CCM using the Internet Key
Exchange (IKEv2) [4]. [1].

5.1. Transform Type 1

For IKEv2 negotiations, IANA has assigned five ESP Transform
Identifiers for Camellia-CBC, Camellia-CTR and Camellia-CCM.

<TBD1> for Camellia-CBC with explicit IV;
<TBD2> for Camellia-CTR with explicit IV;
<TBD3> for Camellia-CCM with an 8-octet ICV;
<TBD4> for Camellia-CCM with a 12-octet ICV; and
<TBD5> for Camellia-CCM with a 16-octet ICV.

5.2. Key Length Attribute

Since the Camellia supports three key lengths, the Key Length
attribute MUST be specified in the IKE exchange [4]. The Key Length
attribute MUST have a value of 128, 192, or 256.

5.3. Keying Material

The size of KEYMAT MUST be equal or longer than the associated
Camellia key. The keying material is used as follows:

Camellia-CBC with a 128-bit key
The KEYMAT requested for each Camellia-CBC key is 16 octets. The
whole octets are the 128-bit Camellia key.

Camellia-CBC with a 192-bit key
The KEYMAT requested for each Camellia-CBC key is 24 octets. The
whole octets are the 192-bit Camellia key.

Camellia-CBC with a 256-bit key
The KEYMAT requested for each Camellia-CBC key is 32 octets. The
whole octets are the 256-bit Camellia key.

Camellia-CTR with a 128-bit key
The KEYMAT requested for each Camellia-CTR key is 20 octets. The
first 16 octets are the 128-bit Camellia key, and the remaining
four octets are used as the nonce value in the counter block.

Kato & Kanda Expires September 20, 2008 [Page 17]

Internet-Draft The Additional Modes of Camellia in IPsec March 2008

Camellia-CTR with a 192-bit key
The KEYMAT requested for each Camellia-CTR key is 28 octets. The
first 24 octets are the 192-bit Camellia key, and the remaining
four octets are used as the nonce value in the counter block.

Camellia-CTR with a 128-bit 256-bit key
The KEYMAT requested for each Camellia-CTR key is 36 octets. The
first 32 octets are the 256-bit Camellia key, and the remaining
four octets are used as the nonce value in the counter block.

Camellia-CCM with a 128-bit key
The KEYMAT requested for each Camellia-CCM key is 19 octets. The
first 16 octets are the 128-bit Camellia key, and the remaining
three octets are used as the salt value in the counter block.

Camellia-CCM with a 192-bit key
The KEYMAT requested for each Camellia-CCM key is 27 octets. The
first 24 octets are the 192-bit Camellia key, and the remaining
three octets are used as the salt value in the counter block.

Kato & Kanda Expires December 29, 2008 [Page 15]

Internet-Draft Modes of Operation for Camellia for IPsec June 2008

Camellia-CCM with a 256-bit key
The KEYMAT requested for each Camellia-CCM key is 35 octets. The
first 32 octets are the 256-bit Camellia key, and the remaining
three octets are used as the salt value in the counter block.

5.2. Transform Type 1

For IKEv2 negotiations, IANA has assigned five ESP Transform
Identifiers for Camellia-CBC, Camellia-CTR and Camellia-CCM.

5.3. Key Length Attribute

Since Camellia supports three key lengths, the Key Length attribute
MUST be specified in the IKE exchange [1]. The Key Length attribute
MUST have a value of 128, 192, or 256 bits.

Kato & Kanda Expires September 20, December 29, 2008 [Page 18] 16]

Internet-Draft The Additional Modes of Operation for Camellia in for IPsec March June 2008

6. Security Considerations

Implementations are encouraged to use the largest key sizes they can,
taking into account performance considerations for their particular
hardware and software configuration. Note that encryption
necessarily affects both sides of a secure channel, so such
consideration must take into account not only the client side, but
also the server. However, a key size of 128 bits is considered
secure for the foreseeable future.

Camellia-CTR and Camellia-CCM employs counter (CTR) employ CTR mode for confidentiality.
If a counter value is ever used for more that one packet with the
same key, then the same key stream will be used to encrypt both
packets, and the confidentiality guarantees are voided.

What happens if the encryptor XORs the same key stream with two
different packet plaintexts? Suppose two packets are defined by two
plaintext byte sequences P1, P2, P3 and Q1, Q2, Q3, P_1, P_2, P_3 and Q_1, Q_2, Q_3, then both
are encrypted with key stream K1, K2, K3. K_1, K_2, K_3. The two corresponding
ciphertexts are:

(P1

(P_1 XOR K1), (P2 K_1), (P_2 XOR K2), (P3 K_2), (P_3 XOR K3)

(Q1 K_3)

(Q_1 XOR K1), (Q2 K_1), (Q_2 XOR K2), (Q3 K_2), (Q_3 XOR K3) K_3)

If both of these two ciphertext ciphertexts streams are exposed to an attacker,
then a catastrophic failure of confidentiality results, because:

(P1

(P_1 XOR K1) K_1) XOR (Q1 (Q_1 XOR K1) K_1) = P1 XOR Q1
(P2
(P_2 XOR K2) K_2) XOR (Q2 (Q_2 XOR K2) K_2) = P2 XOR Q2
(P3
(P_3 XOR K3) K_3) XOR (Q3 (Q_3 XOR K3) K_3) = P3 XOR Q3

Once the attacker obtains the two plaintexts XORed together, it is
relatively straightforward to separate them. Thus, using any stream
cipher, including Camellia-CTR, to encrypt two plaintexts under the
same key stream leaks the plaintext.

Therefore, Camellia-CTR and Camellia-CCM should not be used with
statically configured keys. Extraordinary measures would be needed
to prevent the reuse of a counter block value with the static key
across power cycles. To be safe, implementations MUST use fresh keys
with Camellia-CTR and Camellia-CCM. The IKEv2 [4] [1] protocol can be
used to establish fresh keys.

When IKE is used to establish fresh keys between two peer entities,
separate keys are established for the two traffic flows. If a
different mechanism is used to establish fresh keys, one that

Kato & Kanda Expires September 20, December 29, 2008 [Page 19] 17]

Internet-Draft The Additional Modes of Operation for Camellia in for IPsec March June 2008

establishes only a single key to encrypt packets, then there is a
high probability that the peers will select the same IV values for
some packets. Thus, to avoid counter block collisions, ESP
implementations that permit use of the same key for encrypting and
decrypting packets with the same peer MUST ensure that the two peers
assign different salt values to the SA.

Regardless of the mode used, Camellia with a 128-bit key is
vulnerable to the birthday attack after 2^64 blocks are encrypted
with a single key. Since ESP with Extended Sequence Numbers allows
for up to 2^64 packets in a single SA, there is real potential for
more than 2^64 blocks to be encrypted with one key. Implementations
SHOULD generate a fresh key before 2^64 blocks are encrypted with the
same key. Note that ESP with 32-bit Sequence Numbers will not exceed
2^64 blocks even if all of the packets are maximum-length Jumbograms.

No security problem has been found on for Camellia [8], [7]. [12], [11].

Kato & Kanda Expires September 20, December 29, 2008 [Page 20] 18]

Internet-Draft The Additional Modes of Operation for Camellia in for IPsec March June 2008

7. IANA Considerations

IANA has assigned five IKEv2 parameters for use with Camellia-CBC,
Camellia-CTR
Camellia-CTR, and Camellia-CCM for Transform Type 1 (Encryption
Algorithm):

<TBD1> for ENCR_CAMELLIA_CBC;
<TBD2> for ENCR_CAMELLIA_CTR;
<TBD3> for ENCR_CAMELLIA_CCM with an 8-octet ICV;
<TBD4> for ENCR_CAMELLIA_CCM with a 12-octet ICV; and
<TBD5> for ENCR_CAMELLIA_CCM with a 16-octet ICV.

Kato & Kanda Expires September 20, December 29, 2008 [Page 21] 19]

Internet-Draft The Additional Modes of Operation for Camellia in for IPsec March June 2008

8. Acknowledgements Acknowledgments

We thank Tim Polk and Tero Kivinen for their initial review of this
document.

Kato & Kanda Expires September 20, December 29, 2008 [Page 22] 20]

Internet-Draft The Additional Modes of Operation for Camellia in for IPsec March June 2008

9. References

9.1. Normative

[1] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",
RFC 4306, December 2005.

[2] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303,
December 2005.

[2]

[3] Matsui, M., Nakajima, J., and S. Moriai, "A Description of the
Camellia Encryption Algorithm", RFC 3713, April 2004.

[4] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.

[3]

[5] Dworkin, M., "Recommendation for Block Cipher Modes of
Operation: the CCM Mode for Authentication and
Confidentiality", NIST Special Publication 800-38C, July 2007,
<http://csrc.nist.gov/publications/nistpubs/800-38C/
SP800-38C_updated-July20_2007.pdf>.

[6] Dworkin, M., "Recommendation for Block Cipher Modes of
Operation - Methods and Techniques", NIST Special
Publication 800-38A, November 2001, <http://csrc.nist.gov/
publications/nistpubs/800-38a/sp800-38a.pdf>.

[4] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",

[7] McGrew, D., "An Interface and Algorithms for Authenticated
Encryption", RFC 4306, 5116, January 2008.

[8] Kato, A., Moriai, S., and M. Kanda, "The Camellia Cipher
Algorithm and Its Use With IPsec", RFC 4312, December 2005.

9.2. Informative

[5]

[9] National Institute of Standards and Technology, "Advanced
Encryption Standard (AES)", FIPS PUB 197, November 2001,
<http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf>.

[6]

[10] International Organization for Standardization, "Information
technology - Security techniques - Encryption algorithms - Part
3: Block ciphers", ISO/IEC 18033-3, July 2005.

[7]

[11] "The NESSIE project (New European Schemes for Signatures,
Integrity and Encryption)",
<http://www.cosic.esat.kuleuven.ac.be/nessie/>.

[8]

[12] Information-technology Promotion Agency (IPA), "Cryptography

Kato & Kanda Expires December 29, 2008 [Page 21]

Internet-Draft Modes of Operation for Camellia for IPsec June 2008

Research and Evaluation Committees",
<http://www.ipa.go.jp/security/enc/CRYPTREC/index-e.html>.

[9] Matsui, M., Nakajima, J., and S. Moriai, "A Description of the
Camellia Encryption Algorithm", RFC 3713, April 2004.

[10]

[13] "Camellia web site", <http://info.isl.ntt.co.jp/camellia/>.

[14] Kent, S. and K. Seo, "Security Architecture for the Internet
Protocol", RFC 4301, December 2005.

[11] Thayer, R., Doraswamy, N., and R. Glenn, "IP Security Document
Roadmap", RFC 2411, November 1998.

[12]

[15] Kato, A. and M. Kanda, "Camellia Counter mode and Camellia
Counter with CBC Mac mode algorithms",
draft-kato-camellia-ctrccm-00 (work in progress),

Kato & Kanda Expires September 20, 2008 [Page 23]

Internet-Draft The Additional Modes of Camellia in IPsec March 2008
November 2007.

[13]

[16] Kato, A., Kanda, M., and T. Iwata, "The Camellia-CMAC-96 and
Camellia-CMAC-PRF-128 Algorithms and Its Use with IPsec",
draft-kato-ipsec-camellia-cmac96and128-02 (work in progress),
November 2007.

[14]

[17] Borman, D., Deering, S., and R. Hinden, "IPv6 Jumbograms",
RFC 2675, August 1999.

[18] Thayer, R., Doraswamy, N., and R. Glenn, "IP Security Document
Roadmap", RFC 2411, November 1998.

[19] "Camellia open source software",
<http://info.isl.ntt.co.jp/crypt/eng/camellia/source.html>.

Kato & Kanda Expires September 20, 2008 [Page 24]

Internet-Draft The Additional Modes of Camellia in IPsec March 2008

URIs

[15] <http://info.isl.ntt.co.jp/crypt/eng/camellia/source.html>

[16] <http://info.isl.ntt.co.jp/camellia/>

Kato & Kanda Expires September 20, December 29, 2008 [Page 25] 22]

Internet-Draft The Additional Modes of Operation for Camellia in for IPsec March June 2008

Authors' Addresses

Akihiro Kato
NTT Software Corporation

Phone: +81-45-212-7577
Fax: +81-45-212-7800 +81-45-212-9800
Email: akato@po.ntts.co.jp

Masayuki Kanda
Nippon Telegraph and Telephone Corporation

Phone: +81-422-59-3456
Fax: +81-422-59-4015
Email: kanda.masayuki@lab.ntt.co.jp

Kato & Kanda Expires September 20, December 29, 2008 [Page 26] 23]

Internet-Draft The Additional Modes of Operation for Camellia in for IPsec March June 2008

Full Copyright Statement

This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.

This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.

Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.

The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.

Kato & Kanda Expires September 20, December 29, 2008 [Page 27] 24]

----