idnits 2.17.00 (12 Aug 2021) /tmp/idnits48980/draft-songlee-aes-cmac-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5 on line 949. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 926. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 933. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 939. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** There are 2 instances of too long lines in the document, the longest one being 1 character in excess of 72. ** There are 17 instances of lines with control characters in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 261 has weird spacing: '...onst_Rb is 0...' == Line 317 has weird spacing: '...onst_Rb is 0...' == Line 325 has weird spacing: '... flag for ...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '3' on line 688 -- Looks like a reference, but probably isn't: '5' on line 621 -- Looks like a reference, but probably isn't: '256' on line 487 -- Looks like a reference, but probably isn't: '16' on line 877 -- Looks like a reference, but probably isn't: '4' on line 724 -- Looks like a reference, but probably isn't: '12' on line 866 -- Looks like a reference, but probably isn't: '0' on line 797 -- Looks like a reference, but probably isn't: '13' on line 629 -- Looks like a reference, but probably isn't: '1' on line 686 -- Looks like a reference, but probably isn't: '14' on line 630 -- Looks like a reference, but probably isn't: '2' on line 687 -- Looks like a reference, but probably isn't: '15' on line 631 -- Looks like a reference, but probably isn't: '8' on line 725 -- Looks like a reference, but probably isn't: '10' on line 626 -- Looks like a reference, but probably isn't: '9' on line 625 -- Looks like a reference, but probably isn't: '6' on line 630 -- Looks like a reference, but probably isn't: '7' on line 627 -- Looks like a reference, but probably isn't: '11' on line 631 -- Looks like a reference, but probably isn't: '64' on line 867 -- Possible downref: Non-RFC (?) normative reference: ref. 'NIST-CMAC' -- Possible downref: Non-RFC (?) normative reference: ref. 'AES' -- Possible downref: Non-RFC (?) normative reference: ref. 'OMAC1' -- Possible downref: Non-RFC (?) normative reference: ref. 'XCBC' Summary: 7 errors (**), 0 flaws (~~), 5 warnings (==), 31 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 JunHyuk Song 3 Jicheol Lee 4 INTERNET DRAFT Samsung Electronics 5 Expires: November 24, 2005 May 25 2005 7 The AES-CMAC Algorithm 8 draft-songlee-aes-cmac-00.txt 10 Status of This Memo 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 Copyright Notice 35 Copyright (C) The Internet Society (2005). 37 Abstract 39 National Institute of Standards and Technology (NIST) has newly 40 specified the Cipher based MAC (CMAC) which is equivalent to the 41 One-Key CBC-MAC1 (OMAC1) algorithm submitted by Iwata and Kurosawa. 42 OMAC1 efficiently reduces the key size of Extended Cipher Block 43 Chaining mode (XCBC). This memo specifies the authentication 44 mechanism based on CMAC mode of operation with 128-bit Advanced 45 Encryption Standard (AES) cipher block. This new authentication 46 algorithm is named AES-CMAC 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 2 51 2. Specification of Language . . . . . . . . . . . . . . . . 2 52 3. AES-CMAC Algorithm . . . . . . . . . . . . . . . . . . . . 3 53 3.1 Basic Definitions. . . . . . . . . . . . . . . . . . . . . 3 54 3.2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . 4 55 3.3 Input and Output . . . . . . . . . . . . . . . . . . . . . 5 56 3.3.1 Input . . . . . . . . . . . . . . . . . . . . . . . . . 5 57 3.3.2 Output . . . . . . . . . . . . . . . . . . . . . . . . . 5 58 3.4 Padding . . . . . . . . . . . . . . . . . . . . . . . . . 6 59 3.5 Subkey Generation . . . . .. . . . . . . . . . . . . . . . 6 60 3.6 AES-CMAC Generation . . . . . . . . . . . . . . . . . . . 7 61 4. Security Considerations . . . . . . . . . . . . . . . . . . 9 62 5. Test Vector . . . . . . . . . . . . . . . . . . . . . . . . 9 63 6. Acknowledgement . . . . . . .. . . . . . . . . . . . . . . 10 64 7. Authors address . . . . . . . . . . . . . . . . . . . . . . 10 65 8. References . . . . . . . . . . . . . . . . . . . . . . . . 10 66 Appendix A. Test Code . .. . . . . . . . . . . . . . . . . . . 11 68 1. Introduction 70 National Institute of Standards and Technology (NIST) has newly 71 specified the Cipher based MAC (CMAC). CMAC [NIST-CMAC] is a keyed 72 hashed function that is based on a symmetric key block cipher such 73 as Advanced Encryption Standard [AES]. CMAC is equivalent to the 74 One-Key CBC-MAC1 (OMAC1) algorithm submitted by Iwata and Kurosawa 75 [OMAC1]. Although the OMAC1 algorithm is based on the eXtended Cipher 76 Block Chaining mode (XCBC) algorithm submitted by Rogaway and Black 77 [XCBC], OMAC1 efficiently reduces the key size of XCBC. 78 This memo specifies the authentication mechanism based on 79 CMAC mode of operation with 128-bit Advanced Encryption Standard 80 (AES) cipher block. This new authentication algorithm is named 81 AES-CMAC 83 2. Specification of Language 85 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 86 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 87 document are to be interpreted as described in RFC 2119 [3]. 89 In addition, the following words are used to signify the requirements 90 of the specification. 92 3. AES-CMAC Algorithm 94 3.1 Basic definitions 96 The following table describes the basic definitions necessary to 97 explain CMAC algorithm and definitions. 99 || Concatenation. 100 a || b means the concatenation a with following b. 102 XOR Exclusive OR. 103 a XOR b means the result of exclusive-OR'ing a 104 with b. 106 [x] Ceiling function. 107 [3.5] results 4. [5] results 5. 109 << Left-shift operation. 110 10010001 << 1 is equal to 00100010. 112 x^y y-times repeated x. 113 0^3 means that 000 in binary format 114 10^4 means that 10000 in binary format 115 10^i means that 1 and i-times repeated 0. 117 CBC Cipher Block Chaining mode of operation for message 118 authentication code. 120 MAC Message Authentication Code. 121 A bitstring of a fixed length, computed by MAC 122 generation algorithm, that is used to established 123 the authority and hence, the integrity of a message. 125 CMAC Cipher-based MAC based on an approved symmetric key 126 block cipher, such as the Advanced Encryption 127 Standard. 129 MSB(x) The most-significant bit of x. 130 MSB(10010001) means 1. 132 padding(x) 10^i padded output of input x. 133 It is described in detail in section 3. 135 Key (K) 128-bits (16bytes) long key for AES-128 cipher block. 136 Denoted by K. 138 K1 First subkey, K1 is generated by subkey generation 139 method. 141 K2 Second subkey, K2 is generated by subkey generation 142 method. 144 Message (M) Message to be authenticated. 145 Denoted by M. 146 The total message M is denoted by sequence of M_i 147 where M_i is the i'th block with size 128-bit. 148 Message can be null message which means that the 149 length of M is 0. 151 Length (len) The length of message M in bytes. 152 Denoted by len. 153 Minimum value of the length can be 0. The maximum 154 value of the length is not specified in this document. 156 AES-128(K,M) 128-bit ciphertext, output of performing AES-128 157 cipher block of 128-bit plaintext M with 128-bit 158 Key K 160 AES-CMAC CMAC generation function based on AES block cipher 161 with 128-bits key 163 3.2 Overview 165 The Advanced Encryption Standard [AES] is recently defined symmetric 166 key block cipher by NIST. AES-CMAC algorithm uses the CBC mode of 167 operation based on block cipher with 128-bit key for message 168 authentication code generation. In CBC-mode uses output of the 169 cipher block in order to exclusive-or with next input block. 170 The output of CMAC-mode will provide data integrity over whole 171 input message. 173 There are two cases of operation in CMAC. Figure 3.1 illustrated the 174 operation of CBC-MAC with two cases. If the size of input 175 message block is equal to multiple of block size namely 128-bits, 176 the last block processing shall be exclusive-OR'ed with K1. 177 Otherwise, the last block shall be padded with 10^i (notation is 178 described in section 3.1) and exclusive-OR'ed with K2. The result 179 of the previous process will be the input of the last CBC operation. 181 +-----+ +-----+ +-----+ +-----+ +-----+ +---+----+ 182 | M_1 | | M_2 | | M_n | | M_1 | | M_2 | |M_n|10^i| 183 +-----+ +-----+ +-----+ +-----+ +-----+ +---+----+ 184 | | | | | | 185 | +--->(+) +--->(+)<- K1 | +--->(+) +--->(+)<- K2 186 | | | | | | | | | | 187 +-----+ | +-----+ | +-----+ +-----+ | +-----+ | +-----+ 188 | E_k | | | E_k | | | E_k | | E_k | | | E_k | | | E_k | 189 +-----+ | +-----+ | +-----+ +-----+ | +-----+ | +-----+ 190 | | | | | | | | | | 191 +-----+ +-----+ | +-----+ +-----+ | 192 | | 193 T T 194 (a) multiple block size (b) not multiple block size 196 Figure 3.1 Illustration of two cases of CMAC generation 198 E_k is cipher block function with key, k. In this memo, 199 E is the AES-128 cipher block and k is input key namely K. 200 M_i means the message block with length 128-bit where i = 1...n. 201 K1 is the key for the case (a). 202 K2 is the key for the case (b). 203 K1 and K2 is generated by subkey generation method described in 204 section 3.4.2. 206 3.3 Input and Output 208 3.3.1 Input 210 A given block cipher and key typically fixed across most CMAC 211 invocations are called prerequisites. A given block cipher in 212 this memo is AES-128 and length of key is 128-bits (16bytes). 213 Other input parameters defined in this memo are 'M' denoting 214 the message to be authenticated and 'len' denoting the length 215 of message M in bytes. The total message M is denoted by sequence 216 of M_i where M_i is the i'th block with size 128-bit. 218 3.3.2 Output 220 The output of AES-CMAC can validate the input message. 221 Validating the message provide assurance of the integrity and 222 authenticity over the message from the source. According to 223 [NIST-CMAC] at least 64-bits should be used for against guessing 224 attack. Result of truncation should be taken in most significant 225 bits first order. 227 3.4 Padding 229 AES-CMAC uses cipher block with fixed length (128-bit). There 230 should be a special treatment in case that the length of plaintext is 231 not divided by cipher block length. The special treatment is to pad 232 10^i bit-string for adjusting size of the last-block up to the cipher 233 block length. 235 The method of padding is described as [OMAC1]. 236 Padding(x) means 10^i padded output with 128-bit length. 237 If the input x has length r-bytes, padding(x) is defined as follows: 239 - padding(x) = x || 10^i where i is 128-8*r-1 241 3.5 Subkey Generation 243 AES-CMAC algorithm requires the subkeys K1 and K2. K1 is used 244 for the case that the size of last block is equal to cipher block 245 size. K2 is used for the case that the size of last block is less 246 than cipher block size. 248 Through Generate_Subkey algorithm, we get K1 and K2 from the input K 249 which is the input key described 3.3. 251 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 252 + Algorithm Generate_Subkey + 253 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 254 + + 255 + Input : K (128-bit Key described in section 4.1) + 256 + Output : K1 (128-bit subkey) + 257 + K2 (128-bit subkey) + 258 +-------------------------------------------------------------------+ 259 + + 260 + Constants: const_Zero is 0x00000000000000000000000000000000 + 261 + const_Rb is 0x00000000000000000000000000000087 + 262 + Variables: L for output of AES-128 applied to 0^128 + 263 + + 264 + Step 1. L := AES-128(K, const_Zero); + 265 + Step 2. if MSB(L) is equal to 0 + 266 + then K1 := L << 1; + 267 + else K1 := (L << 1) XOR const_Rb; + 268 + Step 3. if MSB(K1) is equal to 0 + 269 + then K2 := K1 << 1; + 270 + else K2 := (K1 << 1) XOR const_Rb; + 271 + Step 4. return K1, K2; + 272 + + 273 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 275 Figure 3.2 Generate_Subkey Algorithm 276 Figure 3.2 describes the algorithm generating subkeys. 277 In step 1. AES-128 is applied to all zero bits with key k 279 In step 2 K1 is derive through following operation: 280 If the most significant bit of L is equal to 0, left-shift L by 1 281 bit. Otherwise, exclusive-OR const_Rb with the result of 1-bit 282 left-shift of L. 284 In step 3. K2 is derived through following operation: 285 If the most significant bit of K1 is equal to 0, left-shift 286 K1 by 1 bit. Otherwise, exclusive-OR const_Rb with the result 287 of 1-bit left-shift of K1. 288 In step 4. return K1 and K2. 290 The mathematical meaning of procedure in step 2 and step 3 including 291 const_Rb can be found in [OMAC1]. 293 3.6 AES-CMAC Generation 295 To perform the algorithm, we should have Generate_Subkey algorithm 296 which is described in section 3.4.2 and padding function which is 297 used in case that the size of last block is less than the cipher 298 block size. 300 Inputs of AES-CMAC are K, M, len which are described in section 3.3. 302 Output of AES-CMAC is T which is the authentication code described 303 in section 3.3. 305 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 306 + Algorithm AES-CMAC + 307 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 308 + + 309 + Input : K ( 128-bit Symmetric Key ) + 310 + : M ( message to be authenticated ) + 311 + : len ( length of message in bytes ) + 312 + Output : T ( message authenticated code ) + 313 + + 314 +-------------------------------------------------------------------+ 315 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 316 + Constants: const_Zero is 0x00000000000000000000000000000000 + 317 + const_Rb is 0x00000000000000000000000000000087 + 318 + const_Bsize is 16 in bytes for 128-bit block + 319 + + 320 + Variables: K1, K2 for 128-bit subkeys + 321 + M_i means i'th 128-bit block (i=1..[M/const_Bsize]) + 322 + M_last for last block xor-ed with K1 or K2 + 323 + n for number of block to be processed + 324 + r for number of bytes of last block + 325 + flag for denoting if last block is complete or not + 326 + + 327 + Step 1. (K1,K2) := Generate_Subkey(K); + 328 + Step 2. n := [ len/const_Bsize ]; + 329 + Step 3. if n = 0 + 330 + then + 331 + n := 1; + 332 + flag := false; + 333 + else + 334 + if len mod const_Bsize is 0 + 335 + then flag := true; + 336 + else flag := false; + 337 + + 338 + Step 4. if flag is true + 339 + then M_last := M_n XOR K1; + 340 + else M_last := padding(M_n) XOR K2; + 341 + Step 5. X := const_Zero; + 342 + Step 6. for i := 1 to n-1 do + 343 + begin + 344 + Y := X XOR M_i; + 345 + X := AES-128(K,Y); + 346 + end + 347 + Y := M_last XOR X; + 348 + X := AES-128(K,Y); + 349 + Step 7. return T; + 350 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 352 Figure 3.3 AES-CMAC Algorithm 354 Figure 3.3 describes the AES-CMAC authentication code generation 355 algorithm 357 In step 1, Derive subkeys, K1 and K2 with K 359 In step 2, Calculate the number of blocks. The number of blocks 360 is a smallest integer value greater than or equal to quotient by 361 dividing length parameter by 128-bit (16 bytes). 363 In step 3, Check if the last block is complete block. 364 If the input length is less than 128-bit (16 bytes), the number of 365 blocks to be processed shall be 1 and mark the flag as not-complete 366 -block (false). Otherwise, if the last block size is 128-bit, mark 367 the flag as complete-block (true), else mark the flag as not- 368 complete-block (false). 370 In step 4, Pre-calculate the M_last block with exclusive-OR'ing 371 previously calculated subkeys. If the last block is complete block 372 (true), exclusive-OR the last block with K1. 373 Otherwise, exclusive-OR the padded last block with K2. 375 In step 5. Initialize the variable X. 377 In step 6. Perform AES-CBC mode of operation with the input 378 message M_1 to M_{n-1}. And the M_last which is calculated in step 379 4, shall be the last input block for CBC mode of operation. 380 In step 7. we finally return authentication code with 128-bit. 382 4. Security Considerations 384 The security provided by AES-CMAC is based upon the strength of AES. 385 At the time of this writing there are no practical cryptographic 386 attacks against AES or AES-CMAC. 388 As is true with any cryptographic algorithm, part of its strength 389 lies in the correctness of the algorithm implementation, the security 390 of the key management mechanism and its implementation, the strength 391 of the associated secret key, and upon the correctness of the 392 implementation in all of the participating systems. This document 393 contains test vectors to assist in verifying the correctness of 394 AES-CMAC code. 396 5. Test Vectors 398 Following test vectors are same as that of [NIST-CMAC]. 399 The following vectors are also output of the test program in 400 appendix A. 402 -------------------------------------------------- 403 Subkey Generation 404 K 2b7e1516 28aed2a6 abf71588 09cf4f3c 405 AES_128(key,0) 7df76b0c 1ab899b3 3e42f047 b91b546f 406 K1 fbeed618 35713366 7c85e08f 7236a8de 407 K2 f7ddac30 6ae266cc f90bc11e e46d513b 408 -------------------------------------------------- 409 -------------------------------------------------- 410 Example 1: len = 0 411 M 412 AES_CMAC bb1d6929 e9593728 7fa37d12 9b756746 413 -------------------------------------------------- 415 Example 2: len = 16 416 M 6bc1bee2 2e409f96 e93d7e11 7393172a 417 AES_CMAC 070a16b4 6b4d4144 f79bdd9d d04a287c 418 -------------------------------------------------- 420 Example 3: len = 40 421 M 6bc1bee2 2e409f96 e93d7e11 7393172a 422 ae2d8a57 1e03ac9c 9eb76fac 45af8e51 423 30c81c46 a35ce411 424 AES_CMAC dfa66747 de9ae630 30ca3261 1497c827 425 -------------------------------------------------- 427 Example 4: len = 64 428 M 6bc1bee2 2e409f96 e93d7e11 7393172a 429 ae2d8a57 1e03ac9c 9eb76fac 45af8e51 430 30c81c46 a35ce411 e5fbc119 1a0a52ef 431 f69f2445 df4f9b17 ad2b417b e66c3710 432 AES_CMAC 51f0bebf 7e3b9d92 fc497417 79363cfe 433 -------------------------------------------------- 435 6. Acknowledgement 437 Portions of this text were borrowed from [NIST-CMAC]. We would like 438 to thank to OMAC1 author Tetsu Iwata and Kaoru Kurosawa, and CMAC 439 author Morris Dworkin, and special thanks to David Johnston for 440 providing AES cipher block test code. 442 7. Author's Address 444 Junhyuk Song 445 Samsung Electronics 446 +82-31-279-3639 447 santajunman@hanafos.com 449 Jicheol Lee 450 Samsung Electronics 451 +82-31-279-3605 452 jicheol.lee@samsung.com 454 8. References 456 [NIST-CMAC] NIST, Special Publication 800-38B Draft,"Recommendation 457 for Block Cipher Modes of Operation: The CMAC Method 458 for Authentication," March 9, 2005 460 [AES] NIST, FIPS 197, "Advanced Encryption Standard (AES)," 461 November 2001. http://csrc.nist.gov/publications/fips/ 462 fips197/fips-197.pdf 464 [OMAC1] "OMAC: One-Key CBC MAC," Tetsu Iwata and Kaoru Kurosawa, 465 Department of Computer and Information Sciences, 466 Ilbaraki University, March 10, 2003. 468 [XCBC] Black, J. and P. Rogaway, "A Suggestion for Handling 469 Arbitrary-Length Messages with the CBC MAC," NIST 470 Second Modes of Operation Workshop, August 2001. 471 http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/ 472 xcbc-mac/xcbc-mac-spec.pdf 474 Appendix A. Test Code 476 /****************************************************************/ 477 /* AES-CMAC with AES-128 bit */ 478 /* AES-128 from David Johnston (802.16) */ 479 /* CMAC Algorithm described in SP800-38B draft */ 480 /* Author: Junhyuk Song (junhyuk.song@samsung.com) */ 481 /* Jicheol Lee (jicheol.lee@samsung.com) */ 482 /****************************************************************/ 484 #include 486 /******** SBOX Table *********/ 487 unsigned char sbox_table[256] = { 488 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 489 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, 490 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 491 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, 492 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 493 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15, 494 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 495 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, 496 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 497 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, 498 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 499 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, 500 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 501 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8, 502 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 503 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, 504 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 505 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73, 506 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 507 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb, 508 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 509 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, 510 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 511 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08, 512 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 513 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, 514 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 515 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, 516 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 517 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, 518 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 519 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 520 }; 522 /* For CMAC Calculation */ 523 unsigned char const_Rb[16] = { 524 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 525 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x87 526 }; 527 unsigned char const_Zero[16] = { 528 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 529 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 530 }; 532 /*****************************/ 533 /**** Function Prototypes ****/ 534 /*****************************/ 536 void xor_128(unsigned char *a, unsigned char *b, unsigned char *out); 537 void xor_32(unsigned char *a, unsigned char *b, unsigned char *out); 538 unsigned char sbox(unsigned char a); 539 void next_key(unsigned char *key, int round); 540 void byte_sub(unsigned char *in, unsigned char *out); 541 void shift_row(unsigned char *in, unsigned char *out); 542 void mix_column(unsigned char *in, unsigned char *out); 543 void add_round_key( unsigned char *shiftrow_in, 544 unsigned char *mcol_in, 545 unsigned char *block_in, 546 int round, 547 unsigned char *out); 549 void AES_128(unsigned char *key, unsigned char *data, unsigned char 550 *ciphertext); 551 void leftshift_onebit(unsigned char *input,unsigned char *output); 553 /****************************************/ 554 /* AES_128() */ 555 /* Performs a 128 bit AES encrypt with */ 556 /* 128 bit data. */ 557 /****************************************/ 559 void xor_128(unsigned char *a, unsigned char *b, unsigned char *out) 560 { 561 int i; 562 for (i=0;i<16; i++) 563 { 564 out[i] = a[i] ^ b[i]; 565 } 566 } 568 void xor_32(unsigned char *a, unsigned char *b, unsigned char *out) 569 { 570 int i; 571 for (i=0;i<4; i++) 572 { 573 out[i] = a[i] ^ b[i]; 574 } 575 } 577 unsigned char sbox(unsigned char a) 578 { 579 return sbox_table[(int)a]; 580 } 582 void next_key(unsigned char *key, int round) 583 { 584 unsigned char rcon; 585 unsigned char sbox_key[4]; 586 unsigned char rcon_table[12] { 587 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 588 0x1b, 0x36, 0x36, 0x36 589 }; 591 sbox_key[0] = sbox(key[13]); 592 sbox_key[1] = sbox(key[14]); 593 sbox_key[2] = sbox(key[15]); 594 sbox_key[3] = sbox(key[12]); 595 rcon = rcon_table[round]; 597 xor_32(&key[0], sbox_key, &key[0]); 598 key[0] = key[0] ^ rcon; 600 xor_32(&key[4], &key[0], &key[4]); 601 xor_32(&key[8], &key[4], &key[8]); 602 xor_32(&key[12], &key[8], &key[12]); 603 } 605 void byte_sub(unsigned char *in, unsigned char *out) 606 { 607 int i; 608 for (i=0; i< 16; i++) 609 { 610 out[i] = sbox(in[i]); 611 } 612 } 614 void shift_row(unsigned char *in, unsigned char *out) 615 { 616 out[0] = in[0]; 617 out[1] = in[5]; 618 out[2] = in[10]; 619 out[3] = in[15]; 620 out[4] = in[4]; 621 out[5] = in[9]; 622 out[6] = in[14]; 623 out[7] = in[3]; 624 out[8] = in[8]; 625 out[9] = in[13]; 626 out[10] = in[2]; 627 out[11] = in[7]; 628 out[12] = in[12]; 629 out[13] = in[1]; 630 out[14] = in[6]; 631 out[15] = in[11]; 632 } 634 void mix_column(unsigned char *in, unsigned char *out) 635 { 636 int i; 637 unsigned char add1b[4]; 638 unsigned char add1bf7[4]; 639 unsigned char rotl[4]; 640 unsigned char swap_halfs[4]; 641 unsigned char andf7[4]; 642 unsigned char rotr[4]; 643 unsigned char temp[4]; 644 unsigned char tempb[4]; 646 for (i=0 ; i<4; i++) 647 { 648 if ((in[i] & 0x80)== 0x80) 649 add1b[i] = 0x1b; 650 else 651 add1b[i] = 0x00; 652 } 654 swap_halfs[0] = in[2]; /* Swap halfs */ 655 swap_halfs[1] = in[3]; 656 swap_halfs[2] = in[0]; 657 swap_halfs[3] = in[1]; 659 rotl[0] = in[3]; /* Rotate left 8 bits */ 660 rotl[1] = in[0]; 661 rotl[2] = in[1]; 662 rotl[3] = in[2]; 664 andf7[0] = in[0] & 0x7f; 665 andf7[1] = in[1] & 0x7f; 666 andf7[2] = in[2] & 0x7f; 667 andf7[3] = in[3] & 0x7f; 669 for (i = 3; i>0; i--) /* logical shift left 1 bit */ 670 { 671 andf7[i] = andf7[i] << 1; 672 if ((andf7[i-1] & 0x80) == 0x80) 673 { 674 andf7[i] = (andf7[i] | 0x01); 675 } 676 } 677 andf7[0] = andf7[0] << 1; 678 andf7[0] = andf7[0] & 0xfe; 680 xor_32(add1b, andf7, add1bf7); 682 xor_32(in, add1bf7, rotr); 684 temp[0] = rotr[0]; /* Rotate right 8 bits */ 685 rotr[0] = rotr[1]; 686 rotr[1] = rotr[2]; 687 rotr[2] = rotr[3]; 688 rotr[3] = temp[0]; 689 xor_32(add1bf7, rotr, temp); 690 xor_32(swap_halfs, rotl,tempb); 691 xor_32(temp, tempb, out); 692 } 694 void AES_128(unsigned char *key, unsigned char *data, unsigned char 695 *ciphertext) 696 { 697 int round; 698 int i; 699 unsigned char intermediatea[16]; 700 unsigned char intermediateb[16]; 701 unsigned char round_key[16]; 703 for(i=0; i<16; i++) round_key[i] = key[i]; 705 for (round = 0; round < 11; round++) 706 { 707 if (round == 0) 708 { 709 xor_128(round_key, data, ciphertext); 710 next_key(round_key, round); 711 } 713 else if (round == 10) 714 { 715 byte_sub(ciphertext, intermediatea); 716 shift_row(intermediatea, intermediateb); 717 xor_128(intermediateb, round_key, ciphertext); 718 } 719 else /* 1 - 9 */ 720 { 721 byte_sub(ciphertext, intermediatea); 722 shift_row(intermediatea, intermediateb); 723 mix_column(&intermediateb[0], &intermediatea[0]); 724 mix_column(&intermediateb[4], &intermediatea[4]); 725 mix_column(&intermediateb[8], &intermediatea[8]); 726 mix_column(&intermediateb[12], &intermediatea[12]); 727 xor_128(intermediatea, round_key, ciphertext); 728 next_key(round_key, round); 729 } 730 } 731 } 732 void print_hex(char *str, unsigned char *buf, int len) 733 { 734 int i; 736 for ( i=0; i=0; i-- ) { 771 output[i] = input[i] << 1; 772 output[i] |= overflow; 773 overflow = (input[i] & 0x80)?1:0; 774 } 775 return; 776 } 778 void generate_subkey(unsigned char *key, unsigned char *K1, unsigned 779 char *K2) 780 { 781 unsigned char L[16]; 782 unsigned char Z[16]; 783 unsigned char tmp[16]; 784 int i; 786 for ( i=0; i<16; i++ ) Z[i] = 0; 788 AES_128(key,Z,L); 790 if ( (L[0] & 0x80) == 0 ) { /* If MSB(L) = 0, then K1 = L << 1 */ 791 leftshift_onebit(L,K1); 792 } else { /* Else K1 = ( L << 1 ) (+) Rb */ 793 leftshift_onebit(L,tmp); 794 xor_128(tmp,const_Rb,K1); 795 } 797 if ( (K1[0] & 0x80) == 0 ) { 798 leftshift_onebit(K1,K2); 799 } else { 800 leftshift_onebit(K1,tmp); 801 xor_128(tmp,const_Rb,K2); 802 } 803 return; 804 } 806 void padding ( unsigned char *lastb, unsigned char *pad, int length ) 807 { 808 int j; 810 /* original last block */ 811 for ( j=0; j<16; j++ ) { 812 if ( j < length ) { 813 pad[j] = lastb[j]; 814 } else if ( j == length ) { 815 pad[j] = 0x80; 816 } else { 817 pad[j] = 0x00; 818 } 819 } 820 } 822 void AES_CMAC ( unsigned char *key, unsigned char *input, int length, 823 unsigned char *mac ) 824 { 825 unsigned char X[16],Y[16], M_last[16], padded[16]; 826 unsigned char K1[16], K2[16]; 827 int n, i, flag; 828 generate_subkey(key,K1,K2); 830 n = (length+15) / 16; /* n is number of rounds */ 831 if ( n == 0 ) { 832 n = 1; 833 flag = 0; 834 } else { 835 if ( (length%16) == 0 ) { /* last block is a complete block */ 836 flag = 1; 837 } else { /* last block is not complete block */ 838 flag = 0; 839 } 840 } 842 if ( flag ) { /* last block is complete block */ 843 xor_128(&input[16*(n-1)],K1,M_last); 844 } else { 845 padding(&input[16*(n-1)],padded,length%16); 846 xor_128(padded,K2,M_last); 847 } 849 for ( i=0; i<16; i++ ) X[i] = 0; 851 for ( i=0; i\n"); 895 AES_CMAC(key,M,0,T); 896 printf("AES_CMAC "); print128(T); printf("\n"); 898 printf("\nExample 2: len = 16\n"); 899 printf("M "); print_hex(" ",M,16); 900 AES_CMAC(key,M,16,T); 901 printf("AES_CMAC "); print128(T); printf("\n"); 903 printf("\nExample 3: len = 40\n"); 904 printf("M "); print_hex(" ",M,40); 905 AES_CMAC(key,M,40,T); 906 printf("AES_CMAC "); print128(T); printf("\n"); 908 printf("\nExample 4: len = 64\n"); 909 printf("M "); print_hex(" ",M,64); 910 AES_CMAC(key,M,64,T); 911 printf("AES_CMAC "); print128(T); printf("\n"); 913 printf("--------------------------------------------------\n"); 915 return 0; 916 } 917 Intellectual Property Statement 919 The IETF takes no position regarding the validity or scope of any 920 Intellectual Property Rights or other rights that might be claimed to 921 pertain to the implementation or use of the technology described in 922 this document or the extent to which any license under such rights 923 might or might not be available; nor does it represent that it has 924 made any independent effort to identify any such rights. Information 925 on the procedures with respect to rights in RFC documents can be 926 found in BCP 78 and BCP 79. 928 Copies of IPR disclosures made to the IETF Secretariat and any 929 assurances of licenses to be made available, or the result of an 930 attempt made to obtain a general license or permission for the use of 931 such proprietary rights by implementers or users of this 932 specification can be obtained from the IETF on-line IPR repository at 933 http://www.ietf.org/ipr. 935 The IETF invites any interested party to bring to its attention any 936 copyrights, patents or patent applications, or other proprietary 937 rights that may cover technology that may be required to implement 938 this standard. Please address the information to the IETF at 939 ietf-ipr@ietf.org. 941 Disclaimer of Validity 943 This document and the information contained herein are provided on an 944 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 945 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 946 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 947 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 948 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 949 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 951 Copyright Statement 953 Copyright (C) The Internet Society (2005). This document is subject 954 to the rights, licenses and restrictions contained in BCP 78, and 955 except as set forth therein, the authors retain all their rights. 957 Acknowledgment 959 Funding for the RFC Editor function is currently provided by the 960 Internet Society.