view Side-By-Side changes
Network Working Group A. KatoInternet-DraftRequest for Comments: 5529 NTT Software CorporationIntended status:Category: Standards Track M. KandaExpires: August 30, 2009 Nippon Telegraph and Telephone CorporationNTT S. Kanno NTT Software CorporationFebruary 26,April 2009 Modes of Operation for Camellia for UseWithwith IPsecdraft-kato-ipsec-camellia-modes-10Status ofthis MemoThisInternet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79.Memo This documentmay contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtainingspecifies anadequate license from the person(s) controlling the copyright in such materials, this document may not be modified outsideInternet standards track protocol for theIETF Standards Process,Internet community, andderivative works of it may not be created outside the IETF Standards Process, except to format itrequests discussion and suggestions forpublication as an RFC orimprovements. Please refer totranslate it into languages other than English. Internet-Drafts are working documentsthe current edition of theInternet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid"Internet Official Protocol Standards" (STD 1) fora maximum of six monthsthe standardization state andmay be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The liststatus ofcurrent Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The listthis protocol. Distribution ofInternet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on August 30, 2009.this memo is unlimited. Copyright NoticeKato, et al. Expires August 30, 2009 [Page 1] Internet-Draft Modes of Operation for Camellia for IPsec February 2009Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document.Kato, et al. Expires August 30, 2009 [Page 2] Internet-Draft Modes of Operation for Camellia for IPsec February 2009Abstract This document describes the use of the Camellia block cipher algorithm in Cipher Block Chaining (CBC) mode, Counter (CTR) mode, and Counter with CBC-MAC (CCM)mode,mode asan IKEv2additional, optional-to- implement Internet Key Exchange Protocol version 2 (IKEv2) and Encapsulating Security Payload (ESP)mechanismmechanisms to provide confidentiality, data origin authentication, and connectionless integrity. Kato, et al. Standards Track [Page 1] RFC 5529 Modes of Operation for Camellia for IPsec April 2009 Table of Contents 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . 4....................................................2 1.1. Terminology. . . . . . . . . . . . . . . . . . . . . . . 4................................................3 2. The Camellia Cipher Algorithm. . . . . . . . . . . . . . . . 5...................................3 2.1. Block Size and Padding. . . . . . . . . . . . . . . . . . 5.....................................3 2.2. Performance. . . . . . . . . . . . . . . . . . . . . . . 5................................................3 3. Modes. . . . . . . . . . . . . . . . . . . . . . . . . . . . 6...........................................................3 3.1. Cipher Block Chaining. . . . . . . . . . . . . . . . . . 6......................................3 3.2. Counter and Counter with CBC-MAC. . . . . . . . . . . . . 6...........................3 4. IKEv2 Conventions. . . . . . . . . . . . . . . . . . . . . . 7...............................................4 4.1. Keying Material. . . . . . . . . . . . . . . . . . . . . 7............................................4 4.2. Transform Type 1. . . . . . . . . . . . . . . . . . . . . 8...........................................5 4.3. Key Length Attribute. . . . . . . . . . . . . . . . . . . 8.......................................5 5. Security Considerations. . . . . . . . . . . . . . . . . . . 9.........................................5 6. IANA Considerations. . . . . . . . . . . . . . . . . . . . . 10.............................................5 7. Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . 11.................................................5 8. References. . . . . . . . . . . . . . . . . . . . . . . . . . 12......................................................5 8.1. Normative. . . . . . . . . . . . . . . . . . . . . . . . 12References .......................................5 8.2. Informative. . . . . . . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14 Kato, et al. Expires August 30, 2009 [Page 3] Internet-Draft Modes of Operation for Camellia for IPsec February 2009References .....................................6 1. Introduction This document describes the use of the Camellia block cipher algorithm [1] in Cipher Block Chaining (CBC) mode, Counter (CTR) mode, and Counter with CBC-MAC (CCM)mode,mode asanadditional, optional-to- implement IKEv2[1][2] and Encapsulating Security Payload (ESP)[2] mechanism[3] mechanisms to provide confidentiality, data origin authentication, and connectionless integrity. Since optimized source code is provided under several open source licenses [9], Camellia is also adopted by several open source projects (OpenSSL, FreeBSD, Linux, and Firefox Gran Paradiso). The algorithm specification and object identifiers are described in[3].[1]. The Camellia web site [10] contains a wealth of information about Camellia, including detailed specification, security analysis, performance figures, reference implementation, optimized implementation, test vectors, and intellectual property information. The remainder of this document specifies the use of various modes of operation for Camellia within the context of IPsec ESP. For further information on how the various pieces of IPsec in general and ESP in particular fit together to provide security services, please refer to [11] and[2].[3]. Kato, et al. Standards Track [Page 2] RFC 5529 Modes of Operation for Camellia for IPsec April 2009 1.1. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [4].Kato, et al. Expires August 30, 2009 [Page 4] Internet-Draft Modes of Operation for Camellia for IPsec February 20092. The Camellia Cipher Algorithm All symmetric block cipher algorithms share common characteristics and variables, including mode, key size, weak keys, block size, and rounds. The relevant characteristics of Camelliadescribesare described in[3].[1]. 2.1. Block Size and Padding Camellia uses a block size of 16 octets (128 bits). Padding requirements are described:a)(a) Camellia Padding requirement is specified in[2], b)[3], (b) Camellia-CBC Padding requirement is specified in[2], c)[3], (c) Camellia-CCM Padding requirement is specified in [5],d)and (d) ESP Padding requirement is specified in[2].[3]. 2.2. Performance Performance figures for Camellia are available at [10]. The NESSIE project has reported on the performance of optimized implementations independently [12].Kato, et al. Expires August 30, 2009 [Page 5] Internet-Draft Modes of Operation for Camellia for IPsec February 20093. Modes This document describes three modes ofoperation(CBCoperation for the use of Camellia with IPsec: CBC (Cipher Block Chaining), CTR (Counter), and CCM (Counter withCBC MAC)) for Camellia on IPsec.CBC-MAC). 3.1. Cipher Block Chaining Camellia CBC mode is defined in [6]. 3.2. Counter and Counter with CBC-MAC Camellia in CTR and CCM modes is used in IPsec as AES in [7] and [8]. In this specification, CCM is used with the Camellia [13] block cipher. Kato, et al.Expires August 30, 2009Standards Track [Page6] Internet-Draft3] RFC 5529 Modes of Operation for Camellia for IPsecFebruaryApril 2009 4. IKEv2 Conventions This section describes the transform ID and conventions used to generate keying material for use with ENCR_CAMELLIA_CBC,ENCR_CAMELLIA_CTRENCR_CAMELLIA_CTR, and ENCR_CAMELLIA_CCM using the Internet Key Exchange (IKEv2)[1].[2]. 4.1. Keying Material The size of KEYMAT MUST be equal or longer than the associated Camellia key. The keying material is used as follows: Camellia-CBC with a 128-bit key The KEYMAT requested for each Camellia-CBC key is 16 octets.The wholeAll 16 octets are the 128-bit Camellia key. Camellia-CBC with a 192-bit key The KEYMAT requested for each Camellia-CBC key is 24 octets.The wholeAll 24 octets are the 192-bit Camellia key. Camellia-CBC with a 256-bit key The KEYMAT requested for each Camellia-CBC key is 32 octets.The wholeAll 32 octets are the 256-bit Camellia key. Camellia-CTR with a 128-bit key The KEYMAT requested for each Camellia-CTR key is 20 octets. The first 16 octets are the 128-bit Camellia key, and the remaining four octets are used as the nonce value in the counter block. Camellia-CTR with a 192-bit key The KEYMAT requested for each Camellia-CTR key is 28 octets. The first 24 octets are the 192-bit Camellia key, and the remaining four octets are used as the nonce value in the counter block. Camellia-CTR with a 256-bit key The KEYMAT requested for each Camellia-CTR key is 36 octets. The first 32 octets are the 256-bit Camellia key, and the remaining four octets are used as the nonce value in the counter block. Camellia-CCM with a 128-bit key The KEYMAT requested for each Camellia-CCM key is 19 octets. The first 16 octets are the 128-bit Camellia key, and the remaining three octets are used as the salt value in the counter block. Camellia-CCM with a 192-bit key The KEYMAT requested for each Camellia-CCM key is 27 octets. The first 24 octets are the 192-bit Camellia key, and the remaining three octets are used as the salt value in the counter block. Kato, et al.Expires August 30, 2009Standards Track [Page7] Internet-Draft4] RFC 5529 Modes of Operation for Camellia for IPsecFebruaryApril 2009 Camellia-CCM with a 256-bit key The KEYMAT requested for each Camellia-CCM key is 35 octets. The first 32 octets are the 256-bit Camellia key, and the remaining three octets are used as the salt value in the counter block. 4.2. Transform Type 1 For IKEv2 negotiations, IANA has assigned five ESP Transform Identifiers for Camellia-CBC,Camellia-CTR and Camellia-CCM: <TBD1> for Camellia-CBC with explicit IV; <TBD2> for Camellia-CTR with explicit IV; <TBD3> for Camellia-CCM with an 8-octet ICV; <TBD4> for Camellia-CCM with a 12-octet ICV;Camellia-CTR, and<TBD5> for Camellia-CCM with a 16-octet ICV.Camellia-CCM, as recorded in Section 6. 4.3. Key Length Attribute Since Camellia supports three key lengths, the Key Length attribute MUST be specified in the IKE exchange[1].[2]. The Key Length attribute MUST have a value of 128, 192, or 256 bits.Kato, et al. Expires August 30, 2009 [Page 8] Internet-Draft Modes of Operation for Camellia for IPsec February 20095. Security ConsiderationsAboutFor security considerations of CTR and CCM mode, this document refers to Section9.9 of [7] and Section7.7 of [8]. No security problem has been found for Camellia [14], [12].Kato, et al. Expires August 30, 2009 [Page 9] Internet-Draft Modes of Operation for Camellia for IPsec February 20096. IANA Considerations IANA has assigned IKEv2 parameters for use withCamellia-CTR,Camellia-CTR and with Camellia-CCM for Transform Type 1 (Encryption Algorithm):<TBD1>23 for ENCR_CAMELLIA_CBC;<TBD2>24 for ENCR_CAMELLIA_CTR;<TBD3>25 for ENCR_CAMELLIA_CCM with an 8-octet ICV;<TBD4>26 for ENCR_CAMELLIA_CCM with a 12-octet ICV; and<TBD5>27 for ENCR_CAMELLIA_CCM with a 16-octet ICV.Kato, et al. Expires August 30, 2009 [Page 10] Internet-Draft Modes of Operation for Camellia for IPsec February 20097. Acknowledgments We thank Tim Polk and Tero Kivinen for their initial review of this document. Thanks to DerekAtkins,Atkins and Rui Hodai for their comments and suggestions. Special thanks to Alfred Hoenes for several very detailed reviews and suggestions. 8. References 8.1. Normative References [1] Matsui, M., Nakajima, J., and S. Moriai, "A Description of the Camellia Encryption Algorithm", RFC 3713, April 2004. Kato, et al.Expires August 30, 2009Standards Track [Page11] Internet-Draft5] RFC 5529 Modes of Operation for Camellia for IPsecFebruaryApril 20098. References 8.1. Normative [1][2] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", RFC 4306, December 2005.[2][3] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303, December 2005.[3] Matsui, M., Nakajima, J., and S. Moriai, "A Description of the Camellia Encryption Algorithm", RFC 3713, April 2004.[4] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [5] Dworkin, M., "Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality", NIST Special Publication 800-38C, July 2007, <http://csrc.nist.gov/publications/nistpubs/800-38C/ SP800-38C_updated-July20_2007.pdf>. [6] Kato, A., Moriai, S., and M. Kanda, "The Camellia Cipher Algorithm and Its Use With IPsec", RFC 4312, December 2005. [7] Housley, R., "Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP)", RFC 4309, December 2005. [8] Housley, R., "Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP)", RFC 3686, January 2004. 8.2. Informative References [9] "Camellia open source software", <http://info.isl.ntt.co.jp/crypt/eng/camellia/source.html>. [10] "Camellia web site", <http://info.isl.ntt.co.jp/camellia/>. [11] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, December 2005. [12] "The NESSIE project (New European Schemes for Signatures, Integrity and Encryption)",<http://www.cosic.esat.kuleuven.ac.be/nessie/>.<http://www.cosic.esat.kuleuven.be/nessie/>. [13] Kato, A., Kanda, M., and S. Kanno, "Camellia CountermodeMode andKato, et al. Expires August 30, 2009 [Page 12] Internet-Draft Modes of Operation for Camellia for IPsec February 2009Camellia Counter withCBC Mac mode algorithms", draft-kato-camellia-ctrccm-05 (work in progress), FebruaryCBC-MAC Mode Algorithms", RFC 5528, April 2009. [14] Information-technology Promotion Agency (IPA), "Cryptography Research and Evaluation Committees", <http://www.ipa.go.jp/security/enc/CRYPTREC/index-e.html>. Kato, et al.Expires August 30, 2009Standards Track [Page13] Internet-Draft6] RFC 5529 Modes of Operation for Camellia for IPsecFebruaryApril 2009 Authors' Addresses Akihiro Kato NTT Software Corporation Phone: +81-45-212-7577 Fax: +81-45-212-9800Email:EMail: akato@po.ntts.co.jp Masayuki KandaNippon Telegraph and Telephone CorporationNTT Phone: +81-422-59-3456 Fax: +81-422-59-4015Email:EMail: kanda.masayuki@lab.ntt.co.jp Satoru Kanno NTT Software Corporation Phone: +81-45-212-7577 Fax: +81-45-212-9800Email:EMail: kanno-s@po.ntts.co.jp Kato, et al.Expires August 30, 2009Standards Track [Page14]7] ----