idnits 2.17.00 (12 Aug 2021) /tmp/idnits49457/draft-songlee-aes-cmac-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 14. -- Found old boilerplate from RFC 3978, Section 5.5 on line 947. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 924. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 931. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 937. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** There are 2 instances of too long lines in the document, the longest one being 1 character in excess of 72. ** There are 16 instances of lines with control characters in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 259 has weird spacing: '...onst_Rb is 0...' == Line 315 has weird spacing: '...onst_Rb is 0...' == Line 323 has weird spacing: '... flag for ...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '3' on line 686 -- Looks like a reference, but probably isn't: '5' on line 619 -- Looks like a reference, but probably isn't: '256' on line 485 -- Looks like a reference, but probably isn't: '16' on line 875 -- Looks like a reference, but probably isn't: '4' on line 722 -- Looks like a reference, but probably isn't: '12' on line 864 -- Looks like a reference, but probably isn't: '0' on line 795 -- Looks like a reference, but probably isn't: '13' on line 627 -- Looks like a reference, but probably isn't: '1' on line 684 -- Looks like a reference, but probably isn't: '14' on line 628 -- Looks like a reference, but probably isn't: '2' on line 685 -- Looks like a reference, but probably isn't: '15' on line 629 -- Looks like a reference, but probably isn't: '8' on line 723 -- Looks like a reference, but probably isn't: '10' on line 624 -- Looks like a reference, but probably isn't: '9' on line 623 -- Looks like a reference, but probably isn't: '6' on line 628 -- Looks like a reference, but probably isn't: '7' on line 625 -- Looks like a reference, but probably isn't: '11' on line 629 -- Looks like a reference, but probably isn't: '64' on line 865 -- Possible downref: Non-RFC (?) normative reference: ref. 'NIST-CMAC' -- Possible downref: Non-RFC (?) normative reference: ref. 'AES' -- Possible downref: Non-RFC (?) normative reference: ref. 'OMAC1' -- Possible downref: Non-RFC (?) normative reference: ref. 'XCBC' Summary: 7 errors (**), 0 flaws (~~), 5 warnings (==), 31 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 JunHyuk Song 2 Jicheol Lee 3 INTERNET DRAFT Samsung Electronics 4 Expires: November 30, 2005 May 31 2005 6 The AES-CMAC Algorithm 7 draft-songlee-aes-cmac-01.txt 9 Status of This Memo 11 By submitting this Internet-Draft, each author represents that any 12 applicable patent or other IPR claims of which he or she is aware 13 have been or will be disclosed, and any of which he or she becomes 14 aware will be disclosed, in accordance with Section 6 of BCP 79. 16 Internet-Drafts are working documents of the Internet Engineering 17 Task Force (IETF), its areas, and its working groups. Note that 18 other groups may also distribute working documents as Internet- 19 Drafts. 21 Internet-Drafts are draft documents valid for a maximum of six months 22 and may be updated, replaced, or obsoleted by other documents at any 23 time. It is inappropriate to use Internet-Drafts as reference 24 material or to cite them other than as "work in progress." 26 The list of current Internet-Drafts can be accessed at 27 http://www.ietf.org/ietf/1id-abstracts.txt. 29 The list of Internet-Draft Shadow Directories can be accessed at 30 http://www.ietf.org/shadow.html. 32 Copyright Notice 34 Copyright (C) The Internet Society (2005). 36 Abstract 38 National Institute of Standards and Technology (NIST) has newly 39 specified the Cipher based MAC (CMAC) which is equivalent to the 40 One-Key CBC-MAC1 (OMAC1) algorithm submitted by Iwata and Kurosawa. 41 OMAC1 efficiently reduces the key size of Extended Cipher Block 42 Chaining mode (XCBC). This memo specifies the authentication 43 mechanism based on CMAC mode of operation with 128-bit Advanced 44 Encryption Standard (AES) cipher block. This new authentication 45 algorithm is named AES-CMAC 47 Table of Contents 49 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 2 50 2. Specification of Language . . . . . . . . . . . . . . . . 2 51 3. AES-CMAC Algorithm . . . . . . . . . . . . . . . . . . . . 3 52 3.1 Basic Definitions. . . . . . . . . . . . . . . . . . . . . 3 53 3.2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . 4 54 3.3 Input and Output . . . . . . . . . . . . . . . . . . . . . 5 55 3.3.1 Input . . . . . . . . . . . . . . . . . . . . . . . . . 5 56 3.3.2 Output . . . . . . . . . . . . . . . . . . . . . . . . . 5 57 3.4 Padding . . . . . . . . . . . . . . . . . . . . . . . . . 6 58 3.5 Subkey Generation . . . . .. . . . . . . . . . . . . . . . 6 59 3.6 AES-CMAC Generation . . . . . . . . . . . . . . . . . . . 7 60 4. Security Considerations . . . . . . . . . . . . . . . . . . 9 61 5. Test Vector . . . . . . . . . . . . . . . . . . . . . . . . 9 62 6. Acknowledgement . . . . . . .. . . . . . . . . . . . . . . 10 63 7. Authors address . . . . . . . . . . . . . . . . . . . . . . 10 64 8. References . . . . . . . . . . . . . . . . . . . . . . . . 10 65 Appendix A. Test Code . .. . . . . . . . . . . . . . . . . . . 11 67 1. Introduction 69 National Institute of Standards and Technology (NIST) has newly 70 specified the Cipher based MAC (CMAC). CMAC [NIST-CMAC] is a keyed 71 hashed function that is based on a symmetric key block cipher such 72 as Advanced Encryption Standard [AES]. CMAC is equivalent to the 73 One-Key CBC-MAC1 (OMAC1) algorithm submitted by Iwata and Kurosawa 74 [OMAC1]. Although the OMAC1 algorithm is based on the eXtended Cipher 75 Block Chaining mode (XCBC) algorithm submitted by Rogaway and Black 76 [XCBC], OMAC1 efficiently reduces the key size of XCBC. This memo 77 specifies the authentication mechanism based on CMAC mode of 78 operation with 128-bit Advanced Encryption Standard(AES) cipher 79 block. This new authentication algorithm is named AES-CMAC 81 2. Specification of Language 83 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 84 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 85 document are to be interpreted as described in RFC 2119 [3]. 87 In addition, the following words are used to signify the requirements 88 of the specification. 90 3. AES-CMAC Algorithm 92 3.1 Basic definitions 94 The following table describes the basic definitions necessary to 95 explain CMAC algorithm and definitions. 97 || Concatenation. 98 a || b means the concatenation a with following b. 100 XOR Exclusive OR. 101 a XOR b means the result of exclusive-OR'ing a 102 with b. 104 [x] Ceiling function. 105 [3.5] results 4. [5] results 5. 107 << Left-shift operation. 108 10010001 << 1 is equal to 00100010. 110 x^y y-times repeated x. 111 0^3 means that 000 in binary format 112 10^4 means that 10000 in binary format 113 10^i means that 1 and i-times repeated 0. 115 CBC Cipher Block Chaining mode of operation for message 116 authentication code. 118 MAC Message Authentication Code. 119 A bitstring of a fixed length, computed by MAC 120 generation algorithm, that is used to established 121 the authority and hence, the integrity of a message. 123 CMAC Cipher-based MAC based on an approved symmetric key 124 block cipher, such as the Advanced Encryption 125 Standard. 127 MSB(x) The most-significant bit of x. 128 MSB(10010001) means 1. 130 padding(x) 10^i padded output of input x. 131 It is described in detail in section 3. 133 Key (K) 128-bits (16bytes) long key for AES-128 cipher block. 134 Denoted by K. 136 K1 First subkey, K1 is generated by subkey generation 137 method. 139 K2 Second subkey, K2 is generated by subkey generation 140 method. 142 Message (M) Message to be authenticated. 143 Denoted by M. 144 The total message M is denoted by sequence of M_i 145 where M_i is the i'th block with size 128-bit. 146 Message can be null message which means that the 147 length of M is 0. 149 Length (len) The length of message M in bytes. 150 Denoted by len. 151 Minimum value of the length can be 0. The maximum 152 value of the length is not specified in this document. 154 AES-128(K,M) 128-bit ciphertext, output of performing AES-128 155 cipher block of 128-bit plaintext M with 128-bit 156 Key K 158 AES-CMAC CMAC generation function based on AES block cipher 159 with 128-bits key 161 3.2 Overview 163 The Advanced Encryption Standard [AES] is recently defined symmetric 164 key block cipher by NIST. AES-CMAC algorithm uses the CBC mode of 165 operation based on block cipher with 128-bit key for message 166 authentication code generation. In CBC-mode uses output of the 167 cipher block in order to exclusive-or with next input block. 168 The output of CMAC-mode will provide data integrity over whole 169 input message. 171 There are two cases of operation in CMAC. Figure 3.1 illustrated the 172 operation of CBC-MAC with two cases. If the size of input 173 message block is equal to multiple of block size namely 128-bits, 174 the last block processing shall be exclusive-OR'ed with K1. 175 Otherwise, the last block shall be padded with 10^i (notation is 176 described in section 3.1) and exclusive-OR'ed with K2. The result 177 of the previous process will be the input of the last CBC operation. 179 +-----+ +-----+ +-----+ +-----+ +-----+ +---+----+ 180 | M_1 | | M_2 | | M_n | | M_1 | | M_2 | |M_n|10^i| 181 +-----+ +-----+ +-----+ +-----+ +-----+ +---+----+ 182 | | | | | | 183 | +--->(+) +--->(+)<- K1 | +--->(+) +--->(+)<- K2 184 | | | | | | | | | | 185 +-----+ | +-----+ | +-----+ +-----+ | +-----+ | +-----+ 186 | E_k | | | E_k | | | E_k | | E_k | | | E_k | | | E_k | 187 +-----+ | +-----+ | +-----+ +-----+ | +-----+ | +-----+ 188 | | | | | | | | | | 189 +-----+ +-----+ | +-----+ +-----+ | 190 | | 191 T T 192 (a) multiple block size (b) not multiple block size 194 Figure 3.1 Illustration of two cases of CMAC generation 196 E_k is cipher block function with key, k. In this memo, 197 E is the AES-128 cipher block and k is input key namely K. 198 M_i means the message block with length 128-bit where i = 1...n. 199 K1 is the key for the case (a). 200 K2 is the key for the case (b). 201 K1 and K2 is generated by subkey generation method described in 202 section 3.4.2. 204 3.3 Input and Output 206 3.3.1 Input 208 A given block cipher and key typically fixed across most CMAC 209 invocations are called prerequisites. A given block cipher in 210 this memo is AES-128 and length of key is 128-bits (16bytes). 211 Other input parameters defined in this memo are 'M' denoting 212 the message to be authenticated and 'len' denoting the length 213 of message M in bytes. The total message M is denoted by sequence 214 of M_i where M_i is the i'th block with size 128-bit. 216 3.3.2 Output 218 The output of AES-CMAC can validate the input message. 219 Validating the message provide assurance of the integrity and 220 authenticity over the message from the source. According to 221 [NIST-CMAC] at least 64-bits should be used for against guessing 222 attack. Result of truncation should be taken in most significant 223 bits first order. 225 3.4 Padding 227 AES-CMAC uses cipher block with fixed length (128-bit). There 228 should be a special treatment in case that the length of plaintext is 229 not divided by cipher block length. The special treatment is to pad 230 10^i bit-string for adjusting size of the last-block up to the cipher 231 block length. 233 The method of padding is described as [OMAC1]. 234 Padding(x) means 10^i padded output with 128-bit length. 235 If the input x has length r-bytes, padding(x) is defined as follows: 237 - padding(x) = x || 10^i where i is 128-8*r-1 239 3.5 Subkey Generation 241 AES-CMAC algorithm requires the subkeys K1 and K2. K1 is used 242 for the case that the size of last block is equal to cipher block 243 size. K2 is used for the case that the size of last block is less 244 than cipher block size. 246 Through Generate_Subkey algorithm, we get K1 and K2 from the input K 247 which is the input key described 3.3. 249 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 250 + Algorithm Generate_Subkey + 251 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 252 + + 253 + Input : K (128-bit Key described in section 4.1) + 254 + Output : K1 (128-bit subkey) + 255 + K2 (128-bit subkey) + 256 +-------------------------------------------------------------------+ 257 + + 258 + Constants: const_Zero is 0x00000000000000000000000000000000 + 259 + const_Rb is 0x00000000000000000000000000000087 + 260 + Variables: L for output of AES-128 applied to 0^128 + 261 + + 262 + Step 1. L := AES-128(K, const_Zero); + 263 + Step 2. if MSB(L) is equal to 0 + 264 + then K1 := L << 1; + 265 + else K1 := (L << 1) XOR const_Rb; + 266 + Step 3. if MSB(K1) is equal to 0 + 267 + then K2 := K1 << 1; + 268 + else K2 := (K1 << 1) XOR const_Rb; + 269 + Step 4. return K1, K2; + 270 + + 271 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 273 Figure 3.2 Generate_Subkey Algorithm 274 Figure 3.2 describes the algorithm generating subkeys. 275 In step 1. AES-128 is applied to all zero bits with key K. 277 In step 2 K1 is derive through following operation: 278 If the most significant bit of L is equal to 0, left-shift L by 1 279 bit. Otherwise, exclusive-OR const_Rb with the result of 1-bit 280 left-shift of L. 282 In step 3. K2 is derived through following operation: 283 If the most significant bit of K1 is equal to 0, left-shift 284 K1 by 1 bit. Otherwise, exclusive-OR const_Rb with the result 285 of 1-bit left-shift of K1. 286 In step 4. return K1 and K2. 288 The mathematical meaning of procedure in step 2 and step 3 including 289 const_Rb can be found in [OMAC1]. 291 3.6 AES-CMAC Generation 293 To perform the algorithm, we should have Generate_Subkey algorithm 294 which is described in section 3.4.2 and padding function which is 295 used in case that the size of last block is less than the cipher 296 block size. 298 Inputs of AES-CMAC are K, M, len which are described in section 3.3. 300 Output of AES-CMAC is T which is the authentication code described 301 in section 3.3. 303 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 304 + Algorithm AES-CMAC + 305 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 306 + + 307 + Input : K ( 128-bit Symmetric Key ) + 308 + : M ( message to be authenticated ) + 309 + : len ( length of message in bytes ) + 310 + Output : T ( message authenticated code ) + 311 + + 312 +-------------------------------------------------------------------+ 313 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 314 + Constants: const_Zero is 0x00000000000000000000000000000000 + 315 + const_Rb is 0x00000000000000000000000000000087 + 316 + const_Bsize is 16 in bytes for 128-bit block + 317 + + 318 + Variables: K1, K2 for 128-bit subkeys + 319 + M_i means i'th 128-bit block (i=1..[M/const_Bsize]) + 320 + M_last for last block xor-ed with K1 or K2 + 321 + n for number of block to be processed + 322 + r for number of bytes of last block + 323 + flag for denoting if last block is complete or not + 324 + + 325 + Step 1. (K1,K2) := Generate_Subkey(K); + 326 + Step 2. n := [ len/const_Bsize ]; + 327 + Step 3. if n = 0 + 328 + then + 329 + n := 1; + 330 + flag := false; + 331 + else + 332 + if len mod const_Bsize is 0 + 333 + then flag := true; + 334 + else flag := false; + 335 + + 336 + Step 4. if flag is true + 337 + then M_last := M_n XOR K1; + 338 + else M_last := padding(M_n) XOR K2; + 339 + Step 5. X := const_Zero; + 340 + Step 6. for i := 1 to n-1 do + 341 + begin + 342 + Y := X XOR M_i; + 343 + X := AES-128(K,Y); + 344 + end + 345 + Y := M_last XOR X; + 346 + X := AES-128(K,Y); + 347 + Step 7. return T; + 348 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 350 Figure 3.3 AES-CMAC Algorithm 352 Figure 3.3 describes the AES-CMAC authentication code generation 353 algorithm 355 In step 1, Derive subkeys, K1 and K2 with K 357 In step 2, Calculate the number of blocks. The number of blocks 358 is a smallest integer value greater than or equal to quotient by 359 dividing length parameter by 128-bit (16 bytes). 361 In step 3, Check if the last block is complete block. 362 If the input length is less than 128-bit (16 bytes), the number of 363 blocks to be processed shall be 1 and mark the flag as not-complete 364 -block (false). Otherwise, if the last block size is 128-bit, mark 365 the flag as complete-block (true), else mark the flag as not- 366 complete-block (false). 368 In step 4, Pre-calculate the M_last block with exclusive-OR'ing 369 previously calculated subkeys. If the last block is complete block 370 (true), exclusive-OR the last block with K1. 371 Otherwise, exclusive-OR the padded last block with K2. 373 In step 5. Initialize the variable X. 375 In step 6. Perform AES-CBC mode of operation with the input 376 message M_1 to M_{n-1}. And the M_last which is calculated in step 377 4, shall be the last input block for CBC mode of operation. 378 In step 7. we finally return authentication code with 128-bit. 380 4. Security Considerations 382 The security provided by AES-CMAC is based upon the strength of AES. 383 At the time of this writing there are no practical cryptographic 384 attacks against AES or AES-CMAC. 386 As is true with any cryptographic algorithm, part of its strength 387 lies in the correctness of the algorithm implementation, the security 388 of the key management mechanism and its implementation, the strength 389 of the associated secret key, and upon the correctness of the 390 implementation in all of the participating systems. This document 391 contains test vectors to assist in verifying the correctness of 392 AES-CMAC code. 394 5. Test Vectors 396 Following test vectors are same as those of [NIST-CMAC]. 397 The following vectors are also output of the test program in 398 appendix A. 400 -------------------------------------------------- 401 Subkey Generation 402 K 2b7e1516 28aed2a6 abf71588 09cf4f3c 403 AES_128(key,0) 7df76b0c 1ab899b3 3e42f047 b91b546f 404 K1 fbeed618 35713366 7c85e08f 7236a8de 405 K2 f7ddac30 6ae266cc f90bc11e e46d513b 406 -------------------------------------------------- 407 -------------------------------------------------- 408 Example 1: len = 0 409 M 410 AES_CMAC bb1d6929 e9593728 7fa37d12 9b756746 411 -------------------------------------------------- 413 Example 2: len = 16 414 M 6bc1bee2 2e409f96 e93d7e11 7393172a 415 AES_CMAC 070a16b4 6b4d4144 f79bdd9d d04a287c 416 -------------------------------------------------- 418 Example 3: len = 40 419 M 6bc1bee2 2e409f96 e93d7e11 7393172a 420 ae2d8a57 1e03ac9c 9eb76fac 45af8e51 421 30c81c46 a35ce411 422 AES_CMAC dfa66747 de9ae630 30ca3261 1497c827 423 -------------------------------------------------- 425 Example 4: len = 64 426 M 6bc1bee2 2e409f96 e93d7e11 7393172a 427 ae2d8a57 1e03ac9c 9eb76fac 45af8e51 428 30c81c46 a35ce411 e5fbc119 1a0a52ef 429 f69f2445 df4f9b17 ad2b417b e66c3710 430 AES_CMAC 51f0bebf 7e3b9d92 fc497417 79363cfe 431 -------------------------------------------------- 433 6. Acknowledgement 435 Portions of this text were borrowed from [NIST-CMAC]. We would like 436 to thank to OMAC1 author Tetsu Iwata and Kaoru Kurosawa, and CMAC 437 author Morris Dworkin, and special thanks to David Johnston for 438 providing AES cipher block test code. 440 7. Author's Address 442 Junhyuk Song 443 Samsung Electronics 444 +82-31-279-3639 445 santajunman@hanafos.com 447 Jicheol Lee 448 Samsung Electronics 449 +82-31-279-3605 450 jicheol.lee@samsung.com 452 8. References 454 [NIST-CMAC] NIST, Special Publication 800-38B Draft,"Recommendation 455 for Block Cipher Modes of Operation: The CMAC Method 456 for Authentication," March 9, 2005 458 [AES] NIST, FIPS 197, "Advanced Encryption Standard (AES)," 459 November 2001. http://csrc.nist.gov/publications/fips/ 460 fips197/fips-197.pdf 462 [OMAC1] "OMAC: One-Key CBC MAC," Tetsu Iwata and Kaoru Kurosawa, 463 Department of Computer and Information Sciences, 464 Ilbaraki University, March 10, 2003. 466 [XCBC] Black, J. and P. Rogaway, "A Suggestion for Handling 467 Arbitrary-Length Messages with the CBC MAC," NIST 468 Second Modes of Operation Workshop, August 2001. 469 http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/ 470 xcbc-mac/xcbc-mac-spec.pdf 472 Appendix A. Test Code 474 /****************************************************************/ 475 /* AES-CMAC with AES-128 bit */ 476 /* AES-128 from David Johnston (802.16) */ 477 /* CMAC Algorithm described in SP800-38B draft */ 478 /* Author: Junhyuk Song (junhyuk.song@samsung.com) */ 479 /* Jicheol Lee (jicheol.lee@samsung.com) */ 480 /****************************************************************/ 482 #include 484 /******** SBOX Table *********/ 485 unsigned char sbox_table[256] = { 486 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 487 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, 488 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 489 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, 490 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 491 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15, 492 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 493 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, 494 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 495 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, 496 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 497 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, 498 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 499 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8, 500 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 501 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, 502 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 503 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73, 504 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 505 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb, 506 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 507 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, 508 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 509 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08, 510 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 511 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, 512 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 513 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, 514 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 515 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, 516 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 517 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 518 }; 520 /* For CMAC Calculation */ 521 unsigned char const_Rb[16] = { 522 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 523 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x87 524 }; 525 unsigned char const_Zero[16] = { 526 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 527 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 528 }; 530 /*****************************/ 531 /**** Function Prototypes ****/ 532 /*****************************/ 534 void xor_128(unsigned char *a, unsigned char *b, unsigned char *out); 535 void xor_32(unsigned char *a, unsigned char *b, unsigned char *out); 536 unsigned char sbox(unsigned char a); 537 void next_key(unsigned char *key, int round); 538 void byte_sub(unsigned char *in, unsigned char *out); 539 void shift_row(unsigned char *in, unsigned char *out); 540 void mix_column(unsigned char *in, unsigned char *out); 541 void add_round_key( unsigned char *shiftrow_in, 542 unsigned char *mcol_in, 543 unsigned char *block_in, 544 int round, 545 unsigned char *out); 547 void AES_128(unsigned char *key, unsigned char *data, unsigned char 548 *ciphertext); 549 void leftshift_onebit(unsigned char *input,unsigned char *output); 551 /****************************************/ 552 /* AES_128() */ 553 /* Performs a 128 bit AES encrypt with */ 554 /* 128 bit data. */ 555 /****************************************/ 557 void xor_128(unsigned char *a, unsigned char *b, unsigned char *out) 558 { 559 int i; 560 for (i=0;i<16; i++) 561 { 562 out[i] = a[i] ^ b[i]; 563 } 564 } 566 void xor_32(unsigned char *a, unsigned char *b, unsigned char *out) 567 { 568 int i; 569 for (i=0;i<4; i++) 570 { 571 out[i] = a[i] ^ b[i]; 572 } 573 } 575 unsigned char sbox(unsigned char a) 576 { 577 return sbox_table[(int)a]; 578 } 580 void next_key(unsigned char *key, int round) 581 { 582 unsigned char rcon; 583 unsigned char sbox_key[4]; 584 unsigned char rcon_table[12] = { 585 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 586 0x1b, 0x36, 0x36, 0x36 587 }; 589 sbox_key[0] = sbox(key[13]); 590 sbox_key[1] = sbox(key[14]); 591 sbox_key[2] = sbox(key[15]); 592 sbox_key[3] = sbox(key[12]); 593 rcon = rcon_table[round]; 595 xor_32(&key[0], sbox_key, &key[0]); 596 key[0] = key[0] ^ rcon; 598 xor_32(&key[4], &key[0], &key[4]); 599 xor_32(&key[8], &key[4], &key[8]); 600 xor_32(&key[12], &key[8], &key[12]); 601 } 603 void byte_sub(unsigned char *in, unsigned char *out) 604 { 605 int i; 606 for (i=0; i< 16; i++) 607 { 608 out[i] = sbox(in[i]); 609 } 610 } 612 void shift_row(unsigned char *in, unsigned char *out) 613 { 614 out[0] = in[0]; 615 out[1] = in[5]; 616 out[2] = in[10]; 617 out[3] = in[15]; 618 out[4] = in[4]; 619 out[5] = in[9]; 620 out[6] = in[14]; 621 out[7] = in[3]; 622 out[8] = in[8]; 623 out[9] = in[13]; 624 out[10] = in[2]; 625 out[11] = in[7]; 626 out[12] = in[12]; 627 out[13] = in[1]; 628 out[14] = in[6]; 629 out[15] = in[11]; 630 } 632 void mix_column(unsigned char *in, unsigned char *out) 633 { 634 int i; 635 unsigned char add1b[4]; 636 unsigned char add1bf7[4]; 637 unsigned char rotl[4]; 638 unsigned char swap_halfs[4]; 639 unsigned char andf7[4]; 640 unsigned char rotr[4]; 641 unsigned char temp[4]; 642 unsigned char tempb[4]; 644 for (i=0 ; i<4; i++) 645 { 646 if ((in[i] & 0x80)== 0x80) 647 add1b[i] = 0x1b; 648 else 649 add1b[i] = 0x00; 650 } 652 swap_halfs[0] = in[2]; /* Swap halfs */ 653 swap_halfs[1] = in[3]; 654 swap_halfs[2] = in[0]; 655 swap_halfs[3] = in[1]; 657 rotl[0] = in[3]; /* Rotate left 8 bits */ 658 rotl[1] = in[0]; 659 rotl[2] = in[1]; 660 rotl[3] = in[2]; 662 andf7[0] = in[0] & 0x7f; 663 andf7[1] = in[1] & 0x7f; 664 andf7[2] = in[2] & 0x7f; 665 andf7[3] = in[3] & 0x7f; 667 for (i = 3; i>0; i--) /* logical shift left 1 bit */ 668 { 669 andf7[i] = andf7[i] << 1; 670 if ((andf7[i-1] & 0x80) == 0x80) 671 { 672 andf7[i] = (andf7[i] | 0x01); 673 } 674 } 675 andf7[0] = andf7[0] << 1; 676 andf7[0] = andf7[0] & 0xfe; 678 xor_32(add1b, andf7, add1bf7); 680 xor_32(in, add1bf7, rotr); 682 temp[0] = rotr[0]; /* Rotate right 8 bits */ 683 rotr[0] = rotr[1]; 684 rotr[1] = rotr[2]; 685 rotr[2] = rotr[3]; 686 rotr[3] = temp[0]; 687 xor_32(add1bf7, rotr, temp); 688 xor_32(swap_halfs, rotl,tempb); 689 xor_32(temp, tempb, out); 690 } 692 void AES_128(unsigned char *key, unsigned char *data, unsigned char 693 *ciphertext) 694 { 695 int round; 696 int i; 697 unsigned char intermediatea[16]; 698 unsigned char intermediateb[16]; 699 unsigned char round_key[16]; 701 for(i=0; i<16; i++) round_key[i] = key[i]; 703 for (round = 0; round < 11; round++) 704 { 705 if (round == 0) 706 { 707 xor_128(round_key, data, ciphertext); 708 next_key(round_key, round); 709 } 711 else if (round == 10) 712 { 713 byte_sub(ciphertext, intermediatea); 714 shift_row(intermediatea, intermediateb); 715 xor_128(intermediateb, round_key, ciphertext); 716 } 717 else /* 1 - 9 */ 718 { 719 byte_sub(ciphertext, intermediatea); 720 shift_row(intermediatea, intermediateb); 721 mix_column(&intermediateb[0], &intermediatea[0]); 722 mix_column(&intermediateb[4], &intermediatea[4]); 723 mix_column(&intermediateb[8], &intermediatea[8]); 724 mix_column(&intermediateb[12], &intermediatea[12]); 725 xor_128(intermediatea, round_key, ciphertext); 726 next_key(round_key, round); 727 } 728 } 729 } 730 void print_hex(char *str, unsigned char *buf, int len) 731 { 732 int i; 734 for ( i=0; i=0; i-- ) { 769 output[i] = input[i] << 1; 770 output[i] |= overflow; 771 overflow = (input[i] & 0x80)?1:0; 772 } 773 return; 774 } 776 void generate_subkey(unsigned char *key, unsigned char *K1, unsigned 777 char *K2) 778 { 779 unsigned char L[16]; 780 unsigned char Z[16]; 781 unsigned char tmp[16]; 782 int i; 784 for ( i=0; i<16; i++ ) Z[i] = 0; 786 AES_128(key,Z,L); 788 if ( (L[0] & 0x80) == 0 ) { /* If MSB(L) = 0, then K1 = L << 1 */ 789 leftshift_onebit(L,K1); 790 } else { /* Else K1 = ( L << 1 ) (+) Rb */ 791 leftshift_onebit(L,tmp); 792 xor_128(tmp,const_Rb,K1); 793 } 795 if ( (K1[0] & 0x80) == 0 ) { 796 leftshift_onebit(K1,K2); 797 } else { 798 leftshift_onebit(K1,tmp); 799 xor_128(tmp,const_Rb,K2); 800 } 801 return; 802 } 804 void padding ( unsigned char *lastb, unsigned char *pad, int length ) 805 { 806 int j; 808 /* original last block */ 809 for ( j=0; j<16; j++ ) { 810 if ( j < length ) { 811 pad[j] = lastb[j]; 812 } else if ( j == length ) { 813 pad[j] = 0x80; 814 } else { 815 pad[j] = 0x00; 816 } 817 } 818 } 820 void AES_CMAC ( unsigned char *key, unsigned char *input, int length, 821 unsigned char *mac ) 822 { 823 unsigned char X[16],Y[16], M_last[16], padded[16]; 824 unsigned char K1[16], K2[16]; 825 int n, i, flag; 826 generate_subkey(key,K1,K2); 828 n = (length+15) / 16; /* n is number of rounds */ 829 if ( n == 0 ) { 830 n = 1; 831 flag = 0; 832 } else { 833 if ( (length%16) == 0 ) { /* last block is a complete block */ 834 flag = 1; 835 } else { /* last block is not complete block */ 836 flag = 0; 837 } 838 } 840 if ( flag ) { /* last block is complete block */ 841 xor_128(&input[16*(n-1)],K1,M_last); 842 } else { 843 padding(&input[16*(n-1)],padded,length%16); 844 xor_128(padded,K2,M_last); 845 } 847 for ( i=0; i<16; i++ ) X[i] = 0; 849 for ( i=0; i\n"); 893 AES_CMAC(key,M,0,T); 894 printf("AES_CMAC "); print128(T); printf("\n"); 896 printf("\nExample 2: len = 16\n"); 897 printf("M "); print_hex(" ",M,16); 898 AES_CMAC(key,M,16,T); 899 printf("AES_CMAC "); print128(T); printf("\n"); 901 printf("\nExample 3: len = 40\n"); 902 printf("M "); print_hex(" ",M,40); 903 AES_CMAC(key,M,40,T); 904 printf("AES_CMAC "); print128(T); printf("\n"); 906 printf("\nExample 4: len = 64\n"); 907 printf("M "); print_hex(" ",M,64); 908 AES_CMAC(key,M,64,T); 909 printf("AES_CMAC "); print128(T); printf("\n"); 911 printf("--------------------------------------------------\n"); 913 return 0; 914 } 915 Intellectual Property Statement 917 The IETF takes no position regarding the validity or scope of any 918 Intellectual Property Rights or other rights that might be claimed to 919 pertain to the implementation or use of the technology described in 920 this document or the extent to which any license under such rights 921 might or might not be available; nor does it represent that it has 922 made any independent effort to identify any such rights. Information 923 on the procedures with respect to rights in RFC documents can be 924 found in BCP 78 and BCP 79. 926 Copies of IPR disclosures made to the IETF Secretariat and any 927 assurances of licenses to be made available, or the result of an 928 attempt made to obtain a general license or permission for the use of 929 such proprietary rights by implementers or users of this 930 specification can be obtained from the IETF on-line IPR repository at 931 http://www.ietf.org/ipr. 933 The IETF invites any interested party to bring to its attention any 934 copyrights, patents or patent applications, or other proprietary 935 rights that may cover technology that may be required to implement 936 this standard. Please address the information to the IETF at 937 ietf-ipr@ietf.org. 939 Disclaimer of Validity 941 This document and the information contained herein are provided on an 942 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 943 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 944 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 945 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 946 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 947 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 949 Copyright Statement 951 Copyright (C) The Internet Society (2005). This document is subject 952 to the rights, licenses and restrictions contained in BCP 78, and 953 except as set forth therein, the authors retain all their rights. 955 Acknowledgment 957 Funding for the RFC Editor function is currently provided by the 958 Internet Society.