One document matched: draft-kato-ipsec-camellia-modes-08.xml
<?xml version="1.0"?>
<?rfc symrefs='no'?>
<?rfc sortrefs='yes'?>
<?rfc toc='yes'?>
<?rfc strict='no'?>
<!DOCTYPE rfc SYSTEM 'rfc2119.dtd' [
<!ENTITY rfc2119 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc2407.dtd' [
<!ENTITY rfc2407 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2407.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc3610.dtd' [
<!ENTITY rfc3610 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3610.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc2409.dtd' [
<!ENTITY rfc2409 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2409.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc2675.dtd' [
<!ENTITY rfc2675 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2675.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc4312.dtd' [
<!ENTITY rfc4312 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4312.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc4132.dtd' [
<!ENTITY rfc4132 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4132.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc3657.dtd' [
<!ENTITY rfc3657 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3657.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc3686.dtd' [
<!ENTITY rfc3686 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3686.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc4301.dtd' [
<!ENTITY rfc4301 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4301.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc4302.dtd' [
<!ENTITY rfc4302 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4302.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc4303.dtd' [
<!ENTITY rfc4303 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4303.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc4306.dtd' [
<!ENTITY rfc4306 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4306.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc4309.dtd' [
<!ENTITY rfc4309 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4309.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc2411.dtd' [
<!ENTITY rfc2411 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2411.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc4051.dtd' [
<!ENTITY rfc4051 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4051.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc3713.dtd' [
<!ENTITY rfc3713 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3713.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc4106.dtd' [
<!ENTITY rfc4106 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4106.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc5116.dtd' [
<!ENTITY rfc5116 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5116.xml'>
]>
<!DOCTYPE rfc SYSTEM 'rfc4312.dtd' [
<!ENTITY rfc4312 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4312.xml'>
]>
<rfc ipr="full3978" category="std" docName="draft-kato-ipsec-camellia-modes-08">
<front>
<title abbrev="Modes of Operation for Camellia for IPsec">
Modes of Operation for Camellia for Use With IPsec
</title>
<author initials="A." surname="Kato"
fullname="Akihiro Kato">
<organization>
NTT Software Corporation
</organization>
<address>
<phone>+81-45-212-7577</phone>
<facsimile>+81-45-212-9800</facsimile>
<email>akato@po.ntts.co.jp</email>
</address>
</author>
<author initials="M." surname="Kanda"
fullname="Masayuki Kanda">
<organization>
Nippon Telegraph and Telephone Corporation
</organization>
<address>
<phone>+81-422-59-3456</phone>
<facsimile>+81-422-59-4015</facsimile>
<email>kanda.masayuki@lab.ntt.co.jp</email>
</address>
</author>
<date/>
<area>Security</area>
<workgroup>Network Working Group</workgroup>
<keyword>Internet-Draft</keyword>
<keyword>Request for Comments</keyword>
<keyword>I-D</keyword>
<keyword>IPsec</keyword>
<keyword>Camellia</keyword>
<keyword>Block Cipher</keyword>
<keyword>Mode of operation</keyword>
<abstract>
<t>This document describes the use of the Camellia block cipher
algorithm in Cipher Block Chaining (CBC) mode, Counter (CTR) mode, and
Counter with CBC-MAC (CCM) mode, as
an IKEv2 and Encapsulating Security Payload (ESP) mechanism to provide
confidentiality, data origin authentication, and connectionless integrity.
</t>
</abstract>
</front>
<middle>
<section anchor="intro" title="Introduction">
<t>
This document describes the use of the Camellia block cipher
algorithm in Cipher Block Chaining (CBC) mode, Counter (CTR) mode, and
Counter with CBC-MAC (CCM) mode, as
an IKEv2 <xref target="RFC4306" /> and Encapsulating Security Payload (ESP) <xref target="RFC4303" /> mechanism to provide
confidentiality, data origin authentication, and connectionless integrity.
</t>
<t>
Camellia is a symmetric cipher with a Feistel structure. Camellia
was developed jointly by NTT and Mitsubishi Electric Corporation in
2000. It was designed to withstand all known cryptanalytic attacks,
and it has been scrutinized by worldwide cryptographic experts.
Camellia is suitable for implementation in software and hardware,
offering encryption speed in software and hardware implementations
that is comparable to Advanced
Encryption Standard (AES) <xref target="FIPS.197.2001" />.
</t>
<t>
Camellia supports 128-bit block size and 128-, 192-, and 256-bit key
lengths, i.e., the same interface specifications as the AES.
Therefore, it is easy to implement Camellia based algorithms by replacing the
AES block of AES based algorithms with a Camellia block.
</t>
<t>
Camellia has been adopted as one of the three ISO/IEC
international standard <xref target="ISO/IEC 18033-3" /> 128-bit block
ciphers (Camellia, AES, and SEED).
Camellia was selected as a recommended cryptographic
primitive by the EU NESSIE (New European Schemes for Signatures, Integrity and
Encryption) project <xref target="NESSIE"/> and was included in the list of
cryptographic techniques for Japanese e-Government systems that was
selected by the Japanese CRYPTREC (Cryptography Research and Evaluation
Committees) <xref target="CRYPTREC" />.
</t>
<t>
Since optimized source code is provided under several open source licenses <xref target="Camellia HP" />,
Camellia is also adopted by several open source projects (OpenSSL,
FreeBSD, Linux, and Firefox Gran Paradiso).
</t>
<t>The algorithm specification and object identifiers are described in
<xref target="RFC3713" />.
</t>
<t>
The Camellia web site <xref target="Camellia HP" /> contains a wealth of information
about Camellia, including detailed specification, security analysis,
performance figures, reference implementation, optimized
implementation, test vectors, and intellectual property information.
</t>
<t>
The remainder of this document specifies use of various modes of
operation for Camellia within the context of IPsec ESP. For further
information on how the various pieces of IPsec in general and ESP in
particular fit together to provide security services, please refer to
<xref target="RFC4301" /> and <xref target="RFC4303" />.
</t>
<section title="Terminology">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref target="RFC2119" />.
</t>
</section>
</section>
<section anchor="camellia" title="The Camellia Cipher Algorithm">
<t>
All symmetric block cipher algorithms share common characteristics
and variables, including mode, key size, weak keys, block size, and
rounds. The following sections contain descriptions of the relevant
characteristics of Camellia.
</t>
<section title="Key Size">
<t>Camellia supports three key sizes: 128 bits, 192 bits, and 256 bits.
The default key size is 128 bits, and all implementations MUST
support this key size. Implementations MAY also support key sizes of
192 bits and 256 bits.</t>
<t>Camellia uses a different number of rounds for each of the defined
key sizes. When a 128-bit key is used, implementations MUST use 18
rounds. When a 192-bit key is used, implementations MUST use 24
rounds. When a 256-bit key is used, implementations MUST use 24
rounds.</t>
</section>
<section anchor="block" title="Weak Keys">
<t>
At the time of writing this document there are no known weak keys for
Camellia.</t>
</section>
<section title="Block Size and Padding">
<t>Camellia uses a block size of 16 octets (128 bits).</t>
<t>Padding requirements are described;</t>
<vspace blankLines="0" />
<t> a) Camellia Padding requirement is specified in <xref target="RFC4303" />.
<vspace blankLines="0" />
b) Camellia-CBC Padding requirement is specified in <xref target="RFC4303" />.
<vspace blankLines="0" />
c) Camellia-CCM Padding requirement is specified in <xref target="CCM" />.
<vspace blankLines="0" />
d) ESP Padding requirement is specified in <xref target="RFC4303" />.
</t>
</section>
<section title="Performance">
<t>
Performance figures for Camellia are available at <xref target="Camellia HP" />.
The NESSIE project has reported on the performance of optimized implementations
independently <xref target="NESSIE"/>.
</t>
</section>
</section>
<section title="Modes">
<t>
NIST has defined seven modes of operation for AES and other FIPS-
approved ciphers : CBC (Cipher Block Chaining), ECB
(Electronic CodeBook), CFB (Cipher FeedBack), OFB (Output FeedBack),
CTR (Counter), CMAC (Cipher-based MAC), and CCM (Counter with CBC MAC).
</t>
<section title="Cipher Block Chaining">
<t>
The CBC mode is well defined and well understood
for symmetric ciphers, and it is currently used for all other ESP
ciphers. This document specifies the use of the Camellia cipher in
CBC mode within ESP. This mode MUST have an Initialization Vector
(IV) size that is the same as the block size. Use of a randomly
generated IV prevents generation of identical ciphertext from
packets that have identical data spanning the first block of the
cipher algorithm's block size.
</t>
<t>
The CBC IV is XORed with the first plaintext block before it is
encrypted. Then, for successive blocks, the previous ciphertext
block is XORed with the current plain text before it is encrypted.
More information on CBC mode can be obtained in <xref target="MODES"/>.
</t>
</section>
<section title="Counter" anchor="Counter">
<t>
Camellia-CTR <xref target="CTRCCM"/> requires the encryptor to generate a unique per-packet value,
and communicate this value to the decryptor. This specification
calls this per-packet value an IV. The same
IV and key combination MUST NOT be used more than once. The
encryptor can generate the IV in any manner that ensures uniqueness.
Common approaches to IV generation include incrementing a counter for
each packet and linear feedback shift registers (LFSRs).
</t>
<t>
This specification calls for the use of a nonce for additional
protection against precomputation attacks. The nonce value need not
to be secret. However, the nonce MUST be unpredictable prior to the
establishment of the IPsec Security Association (SA) using of Camellia-CTR.
</t>
<t>
Camellia-CTR has many properties that make it an attractive encryption
algorithm for use in high-speed networking. Camellia-CTR uses the Camellia block
cipher to behave like a stream cipher. Data is encrypted and decrypted by
XORing with the key stream produced by Camellia encrypting sequential
counter block values. Camellia-CTR is easy to implement, and Camellia-CTR can
be pipelined and parallelized. Camellia-CTR also supports key stream
precomputation.
</t>
<t>
When used correctly, Camellia-CTR provides a high level of
confidentiality. Unfortunately, Camellia-CTR is easy to use incorrectly.
Being a stream cipher, any reuse of the per-packet value, called the
IV, with the same nonce and key is catastrophic. An IV collision
immediately leaks information about the plaintext in both packets.
For this reason, it is inappropriate to use this mode of operation
with static keys. Extraordinary measures would be needed to prevent
reuse of an IV value with the static key across power cycles. To be
safe, implementations MUST use fresh keys with Camellia-CTR. The Internet
Key Exchange (IKEv2) <xref target="RFC4306" /> protocol can be used to establish fresh
keys. IKE can also provide the nonce value.
</t>
<t>
With CTR mode, it is trivial to use a valid ciphertext to forge other
(valid to the decryptor) ciphertexts. Thus, it is equally
catastrophic to use Camellia-CTR without a companion authentication
function. Implementations MUST use Camellia-CTR in conjunction with an
authentication function, such as Camellia-CMAC-96 <xref target="CMAC" />.
</t>
</section>
<section title = "Counter with CBC-MAC">
<t>
CCM is a generic authenticate-and-encrypt block cipher mode.
In this specification, CCM is used with the Camellia <xref target="CTRCCM" /> block cipher.
</t>
<t>
Camellia-CCM <xref target="CTRCCM"/> has two parameters:
</t>
<list style="hanging">
<t hangText="M">
M indicates the size of the integrity check value (ICV). CCM
defines values of 4, 6, 8, 10, 12, 14, and 16 octets; However, to
maintain alignment and provide adequate security, in IPsec ESP
only the values 8, 12, and 16 are permitted. Implementations MUST
support M values of 8 octets and 16 octets, and implementations
MAY support an M value of 12 octets.</t>
<t hangText="L">
L indicates the size of the length field in octets. CCM
defines values of L from 2 to 8 octets. This
specification only supports L = 4 for use with ESP. Implementations MUST
support an L value of 4 octets, which accommodates a full
Jumbogram <xref target="RFC2675" />; however, the length includes all of the
encrypted data, which also includes the ESP Padding, Pad
Length, and Next Header fields.</t>
</list>
<t>
There are four inputs to CCM originator processing:
</t>
<list style="hanging">
<t hangText="key">
<vspace blankLines="0" />
A single key is used to calculate the ICV using CBC-MAC and to
perform payload encryption using CTR mode. Camellia supports
key sizes of 128 bits, 192 bits, and 256 bits. The default key
size is 128 bits, and implementations MUST support this key
size. Implementations MAY also support key sizes of 192 bits
and 256 bits.
</t>
<t hangText="nonce">
<vspace blankLines="0" />
The size of the nonce depends on the value selected for the
parameter L. It is 15-L octets. Implementations MUST support
a nonce of 11 octets. The construction of the nonce is
described in <xref target="NONCE"/>.
</t>
<t hangText="payload">
<vspace blankLines="0" />
The payload of the ESP packet. The payload MUST NOT be longer
than 4,294,967, and 295 octets, which is the maximum size of a
Jumbogram <xref target="RFC2675" />; however, the ESP Padding, Pad Length, and
Next Header fields are also part of the payload.
</t>
<t hangText="AAD">
<vspace blankLines="0" />
CCM provides data integrity and data origin authentication for
some data outside the payload. CCM does not allow additional
authenticated data (AAD) to be longer than
18,446,744,073,709,551, and 615 octets. The ICV is computed from
the ESP header, Payload, and ESP trailer fields, which is
significantly smaller than the CCM-imposed limit. The
construction of the AAD is described in <xref target="AAD"/>.
</t>
</list>
<t>
Camellia-CCM requires the encryptor to generate a unique per-packet value
and to communicate this value to the decryptor. This per-packet
value is one of the component parts of the nonce, and it is referred
to as the IV. The same IV and key
combination MUST NOT be used more than once. The encryptor can
generate the IV in any manner that ensures uniqueness. Common
approaches to IV generation include incrementing a counter for each
packet and LFSRs.
</t>
<t>
Camellia-CCM employs CTR mode for encryption. As with any stream
cipher, reuse of the same IV value with the same key is catastrophic.
An IV collision immediately leaks information about the plaintext in
both packets. For this reason, it is inappropriate to use this CCM
with statically configured keys. Extraordinary measures would be
needed to prevent reuse of an IV value with the static key across
power cycles. To be safe, implementations MUST use fresh keys with
Camellia-CCM. The IKEv2 protocol <xref target="RFC4306" /> can be
used to establish fresh keys.
</t>
</section>
</section>
<section title="ESP Payload">
<section title="Cipher Block Chaining">
<t>
The ESP payload for Camellia-CBC is made up of the IV followed by the ciphertext.
Thus, the payload field, as defined in <xref target="RFC4303"/>, is broken down
according to the following diagram:
</t>
<figure anchor='payload0' title="ESP Payload Encrypted with Camellia-CBC">
<artwork>
+---------------+---------------+---------------+---------------+
| |
+ Initialization Vector (16 octets) +
| |
+---------------+---------------+---------------+---------------+
| |
~ Encrypted Payload (variable length, a multiple of 16 octets) ~
| |
+---------------------------------------------------------------+
</artwork>
</figure>
<t>
The IV field MUST be the same size as the block size of the cipher
algorithm being used. The IV MUST be chosen at random, and MUST be
unpredictable.
</t>
<t>
Including the IV in each datagram ensures that each received datagram
can be decrypted, even when some datagrams are dropped or re-ordered
in transit.
</t>
<t>
To avoid CBC encryption of very similar plaintext blocks in different
packets, implementations MUST NOT use a counter or other low
Hamming-distance source for IVs.
</t>
<section title="ESP Algorithmic Interactions">
<t>
Currently, there are no known issues regarding interactions between
Camellia-CBC and other aspects of ESP, such as the use of certain
authentication schemes.
</t>
</section>
</section>
<section title="Counter">
<t>
The ESP payload for Camellia-CBC is made up of the IV followed by the ciphertext.
<xref target="payload1"/> shows the format of the ESP Payload.
</t>
<figure anchor='payload1' title="ESP Payload Encrypted with Camellia-CTR">
<artwork>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Initialization Vector |
| (8 octets) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Encrypted Payload (variable) ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Authentication Data (variable) ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
</artwork>
</figure>
<t>
The components of the counter block are as follows:
</t>
<list style="hanging">
<t hangText="Initialization Vector">
<vspace blankLines="0" />
The Camellia-CTR IV field MUST be 8 octets. The IV MUST be chosen by
the encryptor in a manner that ensures that the same IV value is used
only once for a given key. The encryptor can generate the IV in any
manner that ensures uniqueness. Common approaches to IV generation
include incrementing a counter for each packet and LFSRs.
Including the IV in each packet ensures that the decryptor can
generate the key stream needed for decryption, even when some packets
are lost or reordered.
</t>
<t hangText="Encrypted Payload">
<vspace blankLines="0" />
The encrypted payload contains the ciphertext.
Camellia-CTR mode does not require plaintext padding. However, ESP does
require padding to 32-bit word-align the authentication data. The
padding, Pad Length, and the Next Header MUST be concatenated with
the plaintext before performing encryption, as described in <xref target="RFC4303" />.
</t>
<t hangText="Authentication Data">
<vspace blankLines="0" />
Since it is trivial to construct a forgery Camellia-CTR ciphertext from a
valid Camellia-CTR ciphertext, Camellia-CTR implementations MUST employ a non-NULL
ESP authentication method. Camellia-CMAC-96 <xref target="CMAC" /> is a likely
choice.
</t>
</list>
<section title="Counter Block Format">
<t>
The Camellia-CTR counter block is 128
bits. <xref target="payload-CTR"/> shows the format of the counter block.
</t>
<figure anchor='payload-CTR' title="Counter Block Format">
<artwork>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Initialization Vector |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Block Counter |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
</artwork>
</figure>
<t>
The components of the counter block are as follows:
</t>
<list style="hanging">
<t hangText="Nonce">
<vspace blankLines="0" />
The Nonce field is 32 bits. As the name implies, the nonce is a
single use value. That is, a fresh nonce value MUST be assigned
for each SA. It MUST be assigned at the
establishment of the SA. The nonce value needs not to
be secret, but it MUST be unpredictable prior to the establishment of
the SA.
</t>
<t hangText="Initialization Vector">
<vspace blankLines="0" />
The IV field is 64 bits. As described in section 3.1, the IV MUST
be chosen by the encryptor in a manner that ensures that the same
IV value is used only once for a given key.
</t>
<t hangText="Block Counter">
<vspace blankLines="0" />
The block counter field is the least significant 32 bits of the
counter block. The block counter begins with the value of one,
and it is incremented to generate subsequent portions of the key
stream. The block counter is a 32-bit big-endian integer value.
</t>
</list>
<t>
Using the encryption process described in <xref target="Counter"/>, this
construction permits each packet to consist of up to:
</t>
<artwork>
(2^32)-1 blocks = 4,294,967, and 295 blocks
= 68,719,476, and 720 octets
</artwork>
<t>
This construction can produce enough key stream for each packet
sufficient to handle any IPv6 jumbogram <xref target="RFC2675" />.
</t>
</section>
<section title="Keying Material">
<t>The minimum number of bits sent from the key exchange protocol to
the ESP algorithm must be greater than or equal to the key size plus the
Nonce size.</t>
<t>The cipher's encryption and decryption key is taken from the first
128, 192, or 256 bits of the keying material.
The Nonce is taken from the next 32 bits of the keying material.</t>
</section>
</section>
<section title="Counter with CBC-MAC">
<t>
The ESP payload is composed of the IV followed by the ciphertext.
The payload field, as defined in <xref target="RFC4303" />, is structured as shown in
<xref target="payload-CCM"/>.
</t>
<figure anchor='payload-CCM' title="ESP Payload Encrypted with Camellia-CCM">
<artwork>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Initialization Vector |
| (8 octets) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Encrypted Payload (variable) ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Authentication Data (variable) ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
</artwork>
</figure>
<section title= "Initialization Vector">
<t>
The Camellia-CCM IV field MUST be 8 octets. The IV MUST be chosen by
the encryptor in a manner that ensures that the same IV value is used
only once for a given key. The encryptor can generate the IV in any
manner that ensures uniqueness. Common approaches to IV generation
include incrementing a counter for each packet and LFSRs.
</t>
<t>
Including the IV in each packet ensures that the decryptor can
generate the key stream needed for decryption, even when some
datagrams are lost or reordered.
</t>
</section>
<section title="Encrypted Payload">
<t>
The encrypted payload contains the ciphertext.
</t>
<t>
Camellia-CCM does not require plaintext padding. However, ESP does
require padding to 32-bit word-align the authentication data. The
Padding, Pad Length, and Next Header fields MUST be concatenated
with the plaintext before performing encryption, as described in
<xref target="RFC4303" />. When padding is required, it MUST be generated and checked
in accordance with the conventions specified in <xref target="RFC4303" />.
</t>
</section>
<section title="Authentication Data">
<t>
Camellia-CCM provides an encrypted ICV. The ICV provided by CCM is
carried in the Authentication Data field without further encryption.
Implementations MUST support ICV sizes of 8 octets and 16 octets.
Implementations MAY also support a 12-octet ICV.
</t>
</section>
<section title="Nonce Format" anchor="NONCE">
<t>
Each packet conveys the IV that is necessary to construct the
sequence of counter blocks used by CTR mode to generate the key
stream. The Camellia counter block is 16 octets. One octet is used for
the CCM Flags, and 4 octets are used for the block counter, as
specified by the CCM L parameter. The remaining octets are the
nonce. These octets occupy the second through the twelfth octets in
the counter block. <xref target="Nonce CCM"/> shows the format of the nonce.
</t>
<figure anchor='Nonce CCM' title="Nonce Format of CCM">
<artwork>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Salt |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Initialization Vector |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
</artwork>
</figure>
<t>
The components of the nonce are as follows:
</t>
<list style="hanging">
<t hangText="Salt">
<vspace blankLines="0" />
The salt field is 24 bits. As the name implies, it contains
an unpredictable value. That is, a fresh salt value MUST be assinged for each SA. It MUST be assigned at the establishment
of the SA. The salt value needs not to be
secret, but it MUST NOT be predictable prior to the establishment
of the SA.</t>
<t hangText="Initialization Vector">
<vspace blankLines="0" />
The IV field is 64 bits. As described in
Section 3.1, the IV MUST be chosen by the encryptor in a manner
that ensures that the same IV value is used only once for a
given key.
</t>
</list>
<t>
This construction permits each packet to consist of up to:
</t>
<artwork>
2^32 blocks = 4,294,967,296 blocks
= 68,719,476,736 octets
</artwork>
<t>
This construction provides more key stream for each packet than is
needed to handle any IPv6 Jumbogram <xref target="RFC2675"/>.
</t>
</section>
<section title="AAD Construction" anchor="AAD">
<t>
The data integrity and data origin authentication for the Security
Parameters Index (SPI) and (Extended) Sequence Number fields is
provided without encrypting them. Two formats are defined: one for
32-bit sequence numbers and one for 64-bit extended sequence numbers.
The format with 32-bit sequence numbers is shown in <xref target="AAD32"/>, and the
format with 64-bit extended sequence numbers is shown in <xref target="AAD64"/>.
</t>
<t>
Sequence Numbers are conveyed in network byte order. (Network byte
order is fully described in Appendix B of RFC 791 [tbd]).
</t>
<figure anchor='AAD32' title=" AAD Format with 32-bit Sequence Number">
<artwork>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SPI |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 32-bit Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
</artwork>
</figure>
<figure anchor='AAD64' title=" AAD Format with 64-bit Sequence Number">
<artwork>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SPI |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 64-bit Extended Sequence Number |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
</artwork>
</figure>
</section>
</section>
</section>
<section title="IKEv2 Conventions">
<t>
This section describes the transform ID and conventions used to generate keying
material for use with ENCR_CAMELLIA_CBC, ENCR_CAMELLIA_CTR and
ENCR_CAMELLIA_CCM using the Internet Key Exchange (IKEv2) <xref target="RFC4306"/>.
</t>
<section title="Keying Material">
<t>
The size of KEYMAT MUST be equal or longer than the associated Camellia key.
The keying material is used as follows:</t>
<list style="hanging">
<t hangText="Camellia-CBC with a 128-bit key">
<vspace blankLines="0" />
The KEYMAT requested for each Camellia-CBC key is 16 octets.
The whole octets are the 128-bit Camellia key.</t>
<t hangText="Camellia-CBC with a 192-bit key">
<vspace blankLines="0" />
The KEYMAT requested for each Camellia-CBC key is 24 octets.
The whole octets are the 192-bit Camellia key.</t>
<t hangText="Camellia-CBC with a 256-bit key">
<vspace blankLines="0" />
The KEYMAT requested for each Camellia-CBC key is 32 octets.
The whole octets are the 256-bit Camellia key.</t>
<t hangText="Camellia-CTR with a 128-bit key">
<vspace blankLines="0" />
The KEYMAT requested for each Camellia-CTR key is 20 octets. The
first 16 octets are the 128-bit Camellia key, and the remaining
four octets are used as the nonce value in the counter block.</t>
<t hangText="Camellia-CTR with a 192-bit key">
<vspace blankLines="0" />
The KEYMAT requested for each Camellia-CTR key is 28 octets. The
first 24 octets are the 192-bit Camellia key, and the remaining
four octets are used as the nonce value in the counter block.</t>
<t hangText="Camellia-CTR with a 256-bit key">
<vspace blankLines="0" />
The KEYMAT requested for each Camellia-CTR key is 36 octets. The
first 32 octets are the 256-bit Camellia key, and the remaining
four octets are used as the nonce value in the counter block.</t>
<t hangText="Camellia-CCM with a 128-bit key">
<vspace blankLines="0" />
The KEYMAT requested for each Camellia-CCM key is 19 octets. The
first 16 octets are the 128-bit Camellia key, and the remaining
three octets are used as the salt value in the counter block.</t>
<t hangText="Camellia-CCM with a 192-bit key">
<vspace blankLines="0" />
The KEYMAT requested for each Camellia-CCM key is 27 octets. The
first 24 octets are the 192-bit Camellia key, and the remaining
three octets are used as the salt value in the counter block.</t>
<t hangText="Camellia-CCM with a 256-bit key">
<vspace blankLines="0" />
The KEYMAT requested for each Camellia-CCM key is 35 octets. The
first 32 octets are the 256-bit Camellia key, and the remaining
three octets are used as the salt value in the counter block.</t>
</list>
</section>
<section title="Transform Type 1">
<t>
For IKEv2 negotiations, IANA has assigned five ESP Transform
Identifiers for Camellia-CBC, Camellia-CTR and Camellia-CCM.
</t>
<artwork>
<TBD1> for Camellia-CBC with explicit IV;
<TBD2> for Camellia-CTR with explicit IV;
<TBD3> for Camellia-CCM with an 8-octet ICV;
<TBD4> for Camellia-CCM with a 12-octet ICV; and
<TBD5> for Camellia-CCM with a 16-octet ICV.
</artwork>
</section>
<section title="Key Length Attribute">
<t>
Since Camellia supports three key lengths, the Key Length attribute
MUST be specified in the IKE exchange <xref target="RFC4306"/>. The Key Length
attribute MUST have a value of 128, 192, or 256 bits.
</t>
</section>
</section>
<section title='Security Considerations'>
<t>
Implementations are encouraged to use the largest key sizes they can,
taking into account performance considerations for their particular
hardware and software configuration. Note that encryption
necessarily affects both sides of a secure channel, so such
consideration must take into account not only the client side, but
also the server. However, a key size of 128 bits is considered
secure for the foreseeable future.
</t>
<t>
Camellia-CTR and Camellia-CCM employ CTR mode for
confidentiality. If a counter
value is ever used for more that one packet with the same key, then
the same key stream will be used to encrypt both packets, and the
confidentiality guarantees are voided.
</t>
<t>
What happens if the encryptor XORs the same key stream with two
different packet plaintexts? Suppose two packets are defined by two
plaintext byte sequences P_1, P_2, P_3 and Q_1, Q_2, Q_3, then both are
encrypted with key stream K_1, K_2, K_3. The two corresponding
ciphertexts are:
</t>
<artwork>
(P_1 XOR K_1), (P_2 XOR K_2), (P_3 XOR K_3)
(Q_1 XOR K_1), (Q_2 XOR K_2), (Q_3 XOR K_3)
</artwork>
<t>
If both of these two ciphertexts streams are exposed to an attacker,
then a catastrophic failure of confidentiality results, because:
</t>
<artwork>
(P_1 XOR K_1) XOR (Q_1 XOR K_1) = P1 XOR Q1
(P_2 XOR K_2) XOR (Q_2 XOR K_2) = P2 XOR Q2
(P_3 XOR K_3) XOR (Q_3 XOR K_3) = P3 XOR Q3
</artwork>
<t>
Once the attacker obtains the two plaintexts XORed together, it is
relatively straightforward to separate them. Thus, using any stream
cipher, including Camellia-CTR, to encrypt two plaintexts under the same
key stream leaks the plaintext.
</t>
<t>
Therefore, Camellia-CTR and Camellia-CCM should not be used with statically configured
keys. Extraordinary measures would be needed to prevent the reuse of
a counter block value with the static key across power cycles. To be
safe, implementations MUST use fresh keys with Camellia-CTR and
Camellia-CCM. The
IKEv2 <xref target="RFC4306" /> protocol can be used to establish fresh keys.
</t>
<t>
When IKE is used to establish fresh keys between two peer entities,
separate keys are established for the two traffic flows. If a
different mechanism is used to establish fresh keys, one that
establishes only a single key to encrypt packets, then there is a
high probability that the peers will select the same IV values for
some packets. Thus, to avoid counter block collisions, ESP
implementations that permit use of the same key for encrypting and
decrypting packets with the same peer MUST ensure that the two peers
assign different salt values to the SA.
</t>
<t>
Regardless of the mode used, Camellia with a 128-bit key is vulnerable to
the birthday attack after 2^64 blocks are encrypted with a single
key. Since ESP with Extended Sequence Numbers allows for up to 2^64
packets in a single SA, there is real potential for more than 2^64
blocks to be encrypted with one key. Implementations SHOULD generate
a fresh key before 2^64 blocks are encrypted with the same key. Note
that ESP with 32-bit Sequence Numbers will not exceed 2^64 blocks
even if all of the packets are maximum-length Jumbograms.
</t>
<t>
No security problem has been found for Camellia <xref target="CRYPTREC"/>, <xref target ="NESSIE"/>.
</t>
</section>
<section title='IANA Considerations'>
<t>
IANA has assigned five IKEv2 parameters
for use with Camellia-CBC, Camellia-CTR, and Camellia-CCM for
Transform Type 1 (Encryption Algorithm):
</t>
<artwork>
<TBD1> for ENCR_CAMELLIA_CBC;
<TBD2> for ENCR_CAMELLIA_CTR;
<TBD3> for ENCR_CAMELLIA_CCM with an 8-octet ICV;
<TBD4> for ENCR_CAMELLIA_CCM with a 12-octet ICV; and
<TBD5> for ENCR_CAMELLIA_CCM with a 16-octet ICV.
</artwork>
</section>
<section title= "Acknowledgments">
<t>
We thank Tim Polk and Tero Kivinen for their initial review of this document.
</t>
</section>
</middle>
<back>
<references title="Normative">
&rfc2119;
&rfc4303;
&rfc4306;
&rfc3713;
&rfc5116;
&rfc4312;
<reference anchor="MODES" target="http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf">
<front>
<title>Recommendation for Block Cipher Modes of Operation - Methods and Techniques</title>
<author initials="M." surname="Dworkin" fullname="Dworkin, M.">
<organization>National Institute of Standards and Technology</organization>
</author>
<date month="November" year="2001" />
</front>
<seriesInfo name="NIST Special Publication" value="800-38A" />
</reference>
<reference anchor="CCM" target="http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf">
<front>
<title>Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality</title>
<author initials="M." surname="Dworkin" fullname="Dworkin, M.">
<organization>National Institute of Standards and Technology</organization>
</author>
<date month="July" year="2007" />
</front>
<seriesInfo name="NIST Special Publication" value="800-38C" />
</reference>
</references>
<references title="Informative">
&rfc2411;
&rfc2675;
&rfc4301;
<reference anchor="FIPS.197.2001" target="http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf">
<front>
<title>Advanced Encryption Standard (AES)</title>
<author>
<organization>National Institute of Standards and Technology</organization>
</author>
<date month="November" year="2001" />
</front>
<seriesInfo name="FIPS" value="PUB 197" />
</reference>
<reference anchor="NESSIE" target="http://www.cosic.esat.kuleuven.ac.be/nessie/">
<front>
<title abbrev="NESSIE">The NESSIE project (New European Schemes for Signatures, Integrity and Encryption) </title>
<author>
<organization />
</author>
</front>
</reference>
<reference anchor="CRYPTREC" target="http://www.ipa.go.jp/security/enc/CRYPTREC/index-e.html" >
<front>
<title>Cryptography Research and Evaluation Committees</title>
<author fullname="Information-technology Promotion Agency (IPA)">
<organization>Information-technology Promotion Agency (IPA)</organization>
<address>
<postal>
<street/>
<country>Japan</country>
</postal>
</address>
</author>
</front>
<format type="HTML" target="http://www.ipa.go.jp/security/enc/CRYPTREC/index-e.html." />
</reference>
<reference anchor="ISO/IEC 18033-3">
<front>
<title>Information technology - Security techniques - Encryption algorithms - Part 3: Block ciphers</title>
<author>
<organization>International Organization for Standardization</organization>
</author>
<date month="July" year="2005" />
</front>
<seriesInfo name="ISO/IEC" value="18033-3" />
</reference>
<reference anchor="CMAC">
<front>
<title abbrev="The Camellia CMAC-96 and CMAC-PRF-128">
The Camellia-CMAC-96 and Camellia-CMAC-PRF-128 Algorithms and Its Use with IPsec
</title>
<author initials="A." surname="Kato"
fullname="Akihiro Kato">
<organization>
NTT Software Corporation
</organization>
<address>
<phone>+81-45-212-7614</phone>
<facsimile>+81-45-212-7528</facsimile>
<email>akato@po.ntts.co.jp</email>
</address>
</author>
<author initials="M." surname="Kanda"
fullname="Masayuki Kanda">
<organization>
Nippon Telegraph and Telephone Corporation
</organization>
<address>
<phone>+81-422-59-3456</phone>
<facsimile>+81-422-59-4015</facsimile>
<email>kanda.masayuki@lab.ntt.co.jp</email>
</address>
</author>
<author initials="T." surname="Iwata"
fullname="Tetsu Iwata">
<organization>
Nagoya University
</organization>
<address>
<email>iwata@cse.nagoya-u.ac.jp</email>
</address>
</author>
<date month="November" year="2007" />
</front>
<seriesInfo name="Internet-Draft" value="draft-kato-ipsec-camellia-cmac96and128-02" />
</reference>
<reference anchor="CTRCCM">
<front>
<title abbrev="Camellia-CTR and Camellia-CCM algorithms">
Camellia Counter mode and Camellia Counter with CBC Mac mode algorithms
</title>
<author initials="A." surname="Kato"
fullname="Akihiro Kato">
<organization>
NTT Software Corporation
</organization>
<address>
<phone>+81-45-212-7614</phone>
<facsimile>+81-45-212-7528</facsimile>
<email>akato@po.ntts.co.jp</email>
</address>
</author>
<author initials="M." surname="Kanda"
fullname="Masayuki Kanda">
<organization>
Nippon Telegraph and Telephone Corporation
</organization>
<address>
<phone>+81-422-59-3456</phone>
<facsimile>+81-422-59-4015</facsimile>
<email>kanda.masayuki@lab.ntt.co.jp</email>
</address>
</author>
<date month="November" year="2007" />
</front>
<seriesInfo name="Internet-Draft" value="draft-kato-camellia-ctrccm-00" />
</reference>
<reference anchor="Camellia HP" target="http://info.isl.ntt.co.jp/camellia/">
<front>
<title>Camellia web site</title>
<author>
<organization />
</author>
<date />
</front>
</reference>
<reference anchor="open source license" target="http://info.isl.ntt.co.jp/crypt/eng/camellia/source.html">
<front>
<title>Camellia open source software</title>
<author>
<organization />
</author>
<date />
</front>
</reference>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 05:42:12 |