idnits 2.17.00 (12 Aug 2021) /tmp/idnits25480/draft-songlee-aes-cmac-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 18. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1043. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1020. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1027. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1033. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** There are 5 instances of too long lines in the document, the longest one being 2 characters in excess of 72. ** There are 29 instances of lines with control characters in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 243 has weird spacing: '...onst_Rb is 0...' == Line 332 has weird spacing: '...onst_Rb is 0...' == Line 340 has weird spacing: '... flag for ...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '256' on line 589 -- Looks like a reference, but probably isn't: '16' on line 972 -- Looks like a reference, but probably isn't: '4' on line 821 -- Looks like a reference, but probably isn't: '12' on line 961 -- Looks like a reference, but probably isn't: '0' on line 894 -- Looks like a reference, but probably isn't: '13' on line 728 -- Looks like a reference, but probably isn't: '1' on line 784 -- Looks like a reference, but probably isn't: '14' on line 729 -- Looks like a reference, but probably isn't: '2' on line 785 -- Looks like a reference, but probably isn't: '15' on line 730 -- Looks like a reference, but probably isn't: '3' on line 786 -- Looks like a reference, but probably isn't: '8' on line 822 -- Looks like a reference, but probably isn't: '5' on line 720 -- Looks like a reference, but probably isn't: '10' on line 725 -- Looks like a reference, but probably isn't: '9' on line 724 -- Looks like a reference, but probably isn't: '6' on line 729 -- Looks like a reference, but probably isn't: '7' on line 726 -- Looks like a reference, but probably isn't: '11' on line 730 -- Looks like a reference, but probably isn't: '64' on line 962 -- Possible downref: Non-RFC (?) normative reference: ref. 'NIST-CMAC' -- Possible downref: Non-RFC (?) normative reference: ref. 'NIST-AES' ** Downref: Normative reference to an Informational RFC: RFC 2104 (ref. 'RFC-HMAC') -- Possible downref: Non-RFC (?) normative reference: ref. 'OMAC1a' -- Possible downref: Non-RFC (?) normative reference: ref. 'OMAC1b' -- Possible downref: Non-RFC (?) normative reference: ref. 'XCBCa' -- Possible downref: Non-RFC (?) normative reference: ref. 'XCBCb' Summary: 8 errors (**), 0 flaws (~~), 5 warnings (==), 33 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 JunHyuk Song 2 Radha Poovendran 3 University of Washington 4 Jicheol Lee 5 Samsung Electronics 6 Tetsu Iwata 7 INTERNET DRAFT Ibaraki University 8 Expires: May 6, 2006 November 7 2005 10 The AES-CMAC Algorithm 11 draft-songlee-aes-cmac-02.txt 13 Status of This Memo 15 By submitting this Internet-Draft, each author represents that any 16 applicable patent or other IPR claims of which he or she is aware 17 have been or will be disclosed, and any of which he or she becomes 18 aware will be disclosed, in accordance with Section 6 of BCP 79. 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF), its areas, and its working groups. Note that 22 other groups may also distribute working documents as Internet- 23 Drafts. 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 30 The list of current Internet-Drafts can be accessed at 31 http://www.ietf.org/ietf/1id-abstracts.txt. 33 The list of Internet-Draft Shadow Directories can be accessed at 34 http://www.ietf.org/shadow.html. 36 Copyright Notice 38 Copyright (C) The Internet Society (2005). 40 Abstract 42 National Institute of Standards and Technology (NIST) has newly 43 specified the Cipher-based Message Authentication Code (CMAC) 44 which is equivalent to the One-Key CBC MAC1 (OMAC1) submitted by 45 Iwata and Kurosawa. This memo specifies the authentication algorithm 46 based on CMAC with 128-bit Advanced Encryption Standard (AES). 47 This new authentication algorithm is named AES-CMAC. 48 The purpose of this document is to make the AES-CMAC algorithm 49 conveniently available to the Internet Community. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 2 54 2. Specification of AES-CMAC . . . . . . . . . . . . . . . . 3 55 2.1 Basic definitions . . . . . . . . . . . . . . . . . . . . 3 56 2.2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . 4 57 2.3 Subkey Generation Algorithm . . . . . . . . . . . . . . . 5 58 2.4 MAC Generation Algorithm . . . . . . . . . . . . . . . . . 7 59 2.5 MAC Verification Algorithm . . . . . . . . . . . . . . . . 9 60 3. Security Considerations . . . . . . . . . . . . . . . . . . 10 61 4. Test Vector . . . . . . . . . . . . . . . . . . . . . . . . 11 62 5. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . 12 63 6. Authors address . . . . . . . . . . . . . . . . . . . . . . 12 64 7. References . . . . . . . . . . . . . . . . . . . . . . . . 13 65 Appendix A. Test Code . . . . . . . . . . . . . . . . . . . . 14 67 1. Introduction 69 National Institute of Standards and Technology (NIST) has newly 70 specified the Cipher-based Message Authentication Code (CMAC). 71 CMAC [NIST-CMAC] is a keyed hash function that is based on a 72 symmetric key block cipher such as the Advanced Encryption 73 Standard [NIST-AES]. CMAC is equivalent to the One-Key CBC MAC1 74 (OMAC1) submitted by Iwata and Kurosawa [OMAC1a, OMAC1b]. OMAC1 75 is an improvement of the eXtended Cipher Block Chaining mode (XCBC) 76 submitted by Black and Rogaway [XCBCa, XCBCb], which itself is an 77 improvement of the basic CBC-MAC. XCBC efficiently addresses the 78 security deficiencies of CBC-MAC, and OMAC1 efficiently reduces the 79 key size of XCBC. 81 AES-CMAC provides stronger assurance of data integrity than a 82 checksum or an error detecting code. The verification of a checksum 83 or an error detecting code detects only accidental modifications of 84 the data, while CMAC is designed to detect intentional, unauthorized 85 modifications of the data, as well as accidental modifications. 87 AES-CMAC achieves the similar security goal of HMAC [RFC-HMAC]. 88 Since AES-CMAC is based on a symmetric key block cipher, AES, 89 while HMAC is based on a hash function, such as SHA-1, AES-CMAC 90 is appropriate for information systems in which AES is more readily 91 available than a hash function. 93 This memo specifies the authentication algorithm based on CMAC with 94 AES-128. This new authentication algorithm is named AES-CMAC. 96 2. Specification of AES-CMAC 98 2.1 Basic definitions 100 The following table describes the basic definitions necessary to 101 explain the specification of AES-CMAC. 103 x || y Concatenation. 104 x || y is the string x concatenated with string y. 105 0000 || 1111 is 00001111. 107 x XOR y Exclusive-OR operation. 108 For two equal length strings x and y, 109 x XOR y is their bit-wise exclusive-OR. 111 ceil(x) Ceiling function. 112 The smallest integer no smaller than x. 113 ceil(3.5) is 4. ceil(5) is 5. 115 x << 1 Left-shift of the string x by 1 bit. 116 The most significant bit disappears and a zero 117 comes into the least significant bit. 118 10010001 << 1 is 00100010. 120 0^n The string that consists of n zero-bits. 121 0^3 means that 000 in binary format. 122 10^4 means that 10000 in binary format. 123 10^i means that 1 followed by i-times repeated 124 zero's. 126 MSB(x) The most-significant bit of the string x. 127 MSB(10010000) means 1. 129 padding(x) 10^i padded output of input x. 130 It is described in detail in section 2.4. 132 Key 128 bits (16 bytes) long key for AES-128. 133 Denoted by K. 135 First subkey 128 bits (16 bytes) long first subkey, 136 derived through the subkey 137 generation algorithm from the key K. 138 Denoted by K1. 140 Second subkey 128 bits (16 bytes) long second subkey, 141 derived through the subkey 142 generation algorithm from the key K. 143 Denoted by K2. 145 Message A message to be authenticated. 146 Denoted by M. 147 The message can be null, which means that the length 148 of M is 0. 150 Message length The length of the message M in bytes. 151 Denoted by len. 152 Minimum value of the length can be 0. The maximum 153 value of the length is not specified in this document. 155 AES-128(K,M) AES-128(K,M) is the 128-bit ciphertext of AES-128 156 for a 128-bit key K and a 128-bit message M. 158 MAC A 128-bit string which is the output of AES-CMAC. 159 Denoted by T. 160 Validating the MAC provides assurance of the 161 integrity and authenticity over the message from 162 the source. 164 MAC length By default, the length of the output of AES-CMAC is 165 128 bits. It is possible to truncate the MAC. 166 Result of truncation should be taken in most 167 significant bits first order. MAC length must be 168 specified before the communication starts, and 169 it must not be changed during the life time of the key. 171 2.2 Overview 173 AES-CMAC uses the Advanced Encryption Standard [NIST-AES] as a 174 building block. To generate a MAC, AES-CMAC takes a secret key, 175 a message of variable length and the length of the message in bytes 176 as inputs, and returns a fixed bit string called a MAC. 178 The core of AES-CMAC is the basic CBC-MAC. For a message M to be 179 authenticated, the CBC-MAC is applied to M. There are two cases of 180 operation in CMAC. Figure 2.1 illustrated the operation of CBC-MAC 181 with two cases. If the size of input message block is equal to 182 multiple of block size namely 128 bits, the last block processing 183 shall be exclusive-OR'ed with K1. Otherwise, the last block shall 184 be padded with 10^i (notation is described in section 2.1) and 185 exclusive-OR'ed with K2. The result of the previous process will be 186 the input of the last CBC operation. The output of AES-CMAC provides 187 data integrity over whole input message. 189 +-----+ +-----+ +-----+ +-----+ +-----+ +---+----+ 190 | M_1 | | M_2 | | M_n | | M_1 | | M_2 | |M_n|10^i| 191 +-----+ +-----+ +-----+ +-----+ +-----+ +---+----+ 192 | | | +--+ | | | +--+ 193 | +--->(+) +--->(+)<-|K1| | +--->(+) +--->(+)<-|K2| 194 | | | | | +--+ | | | | | +--+ 195 +-----+ | +-----+ | +-----+ +-----+ | +-----+ | +-----+ 196 |AES_K| | |AES_K| | |AES_K| |AES_K| | |AES_K| | |AES_K| 197 +-----+ | +-----+ | +-----+ +-----+ | +-----+ | +-----+ 198 | | | | | | | | | | 199 +-----+ +-----+ | +-----+ +-----+ | 200 | | 201 +-----+ +-----+ 202 | T | | T | 203 +-----+ +-----+ 205 (a) positive multiple block length (b) otherwise 207 Figure 2.1 Illustration of two cases of AES-CMAC. 209 AES_K is AES-128 with key K. 210 The message M is divided into blocks M_1,...,M_n, 211 where M_i is the i-th message block. 212 The length of M_i is 128 bits for i = 1,...,n-1, and 213 the length of the last block M_n is less than or equal to 128 bits. 214 K1 is the subkey for the case (a), and 215 K2 is the subkey for the case (b). 216 K1 and K2 are generated by the subkey generation algorithm 217 described in section 2.3. 219 2.3 Subkey Generation Algorithm 221 The subkey generation algorithm, Generate_Subkey(), takes a secret 222 key, K, which is just the key for AES-128. 224 The output of the subkey generation algorithm is two subkeys, K1 225 and K2. We write (K1,K2) := Generate_Subkey(K). 227 Subkeys K1 and K2 are used in both MAC generation and MAC 228 verification algorithms. K1 is used for the case where the length 229 of the last block is equal to the block length. K2 is used for the 230 case where the length of the last block is less than the block 231 length. 233 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 234 + Algorithm Generate_Subkey + 235 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 236 + + 237 + Input : K (128-bit key) + 238 + Output : K1 (128-bit first subkey) + 239 + K2 (128-bit second subkey) + 240 +-------------------------------------------------------------------+ 241 + + 242 + Constants: const_Zero is 0x00000000000000000000000000000000 + 243 + const_Rb is 0x00000000000000000000000000000087 + 244 + Variables: L for output of AES-128 applied to 0^128 + 245 + + 246 + Step 1. L := AES-128(K, const_Zero); + 247 + Step 2. if MSB(L) is equal to 0 + 248 + then K1 := L << 1; + 249 + else K1 := (L << 1) XOR const_Rb; + 250 + Step 3. if MSB(K1) is equal to 0 + 251 + then K2 := K1 << 1; + 252 + else K2 := (K1 << 1) XOR const_Rb; + 253 + Step 4. return K1, K2; + 254 + + 255 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 257 Figure 2.2 Algorithm Generate_Subkey 259 Figure 2.2 specifies the subkey generation algorithm. 260 In step 1, AES-128 is applied to all zero bits with the input 261 key K. 263 In step 2, K1 is derived through the following operation: 264 If the most significant bit of L is equal to 0, K1 is 265 the left-shift of L by 1-bit. 266 Otherwise, K1 is the exclusive-OR of const_Rb and 267 the left-shift of L by 1-bit. 269 In step 3, K2 is derived through the following operation: 270 If the most significant bit of K1 is equal to 0, K2 is 271 the left-shift of K1 by 1-bit. 272 Otherwise, K2 is the exclusive-OR of const_Rb and 273 the left-shift of K1 by 1-bit. 275 In step 4, (K1,K2) := Generate_Subkey(K) is returned. 277 The mathematical meaning of procedure in step 2 and step 3 278 including const_Rb can be found in [OMAC1a]. 280 2.4 MAC Generation Algorithm 282 The MAC generation algorithm, AES-CMAC(), takes three inputs, 283 a secret key, a message, and the length of the message in bytes. 284 The secret key, denoted by K, is just the key for AES-128. 285 The message and its length in bytes are denoted by M and len, 286 respectively. The message M is denoted by the sequence of M_i 287 where M_i is the i-th message block. That is, if M consists of 288 n blocks, then M is written as 290 - M = M_1 || M_2 || ... || M_{n-1} || M_n 292 The length of M_i is 128 bits for i = 1,...,n-1, and the length of 293 the last block M_n is less than or equal to 128 bits. 295 The output of the MAC generation algorithm is a 128-bit string, 296 called a MAC, which can be used to validate the input message. 297 The MAC is denoted by T and we write T := AES-CMAC(K,M,len). 298 Validating the MAC provides assurance of the integrity and 299 authenticity over the message from the source. 301 It is possible to truncate the MAC. According to [NIST-CMAC] at 302 least 64-bit MAC should be used for against guessing attack. 303 Result of truncation should be taken in most significant bits first 304 order. 306 The block length of AES-128 is 128 bits (16 bytes). There is a 307 special treatment in case that the length of the message is 308 not a positive multiple of the block length. The special treatment 309 is to pad 10^i bit-string for adjusting the length of the last 310 block up to the block length. 312 For the input string x of r-bytes, where r < 16, the padding 313 function, padding(x), is defined as follows. 315 - padding(x) = x || 10^i where i is 128-8*r-1 317 That is, padding(x) is the concatenation of x and a single '1' 318 followed by the minimum number of '0's so that the total length is 319 equal to 128 bits. 321 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 322 + Algorithm AES-CMAC + 323 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 324 + + 325 + Input : K ( 128-bit key ) + 326 + : M ( message to be authenticated ) + 327 + : len ( length of the message in bytes ) + 328 + Output : T ( message authenticated code ) + 329 + + 330 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 331 + Constants: const_Zero is 0x00000000000000000000000000000000 + 332 + const_Rb is 0x00000000000000000000000000000087 + 333 + const_Bsize is 16 + 334 + + 335 + Variables: K1, K2 for 128-bit subkeys + 336 + M_i is the i-th block (i=1..ceil(len/const_Bsize)) + 337 + M_last is the last block xor-ed with K1 or K2 + 338 + n for number of blocks to be processed + 339 + r for number of bytes of last block + 340 + flag for denoting if last block is complete or not + 341 + + 342 + Step 1. (K1,K2) := Generate_Subkey(K); + 343 + Step 2. n := ceil(len/const_Bsize); + 344 + Step 3. if n = 0 + 345 + then + 346 + n := 1; + 347 + flag := false; + 348 + else + 349 + if len mod const_Bsize is 0 + 350 + then flag := true; + 351 + else flag := false; + 352 + + 353 + Step 4. if flag is true + 354 + then M_last := M_n XOR K1; + 355 + else M_last := padding(M_n) XOR K2; + 356 + Step 5. X := const_Zero; + 357 + Step 6. for i := 1 to n-1 do + 358 + begin + 359 + Y := X XOR M_i; + 360 + X := AES-128(K,Y); + 361 + end + 362 + Y := M_last XOR X; + 363 + T := AES-128(K,Y); + 364 + Step 7. return T; + 365 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 366 Figure 2.3 Algorithm AES-CMAC 368 Figure 2.3 describes the MAC generation algorithm. 370 In step 1, subkeys K1 and K2 are derived from K through the subkey 371 generation algorithm. 373 In step 2, the number of blocks, n, is calculated. The number of 374 blocks is the smallest integer value greater than or equal to 375 quotient by dividing length parameter by the block length, 16 376 bytes. 378 In step 3, the length of the input message is checked. 379 If the input length is less than 128 bits (including null), the 380 number of blocks to be processed shall be 1 and mark the flag as 381 not-complete-block (false). Otherwise, if the last block length 382 is 128 bits, mark the flag as complete-block (true), else mark the 383 flag as not-complete-block (false). 385 In step 4, M_last is calculated by exclusive-OR'ing 386 M_n and previously calculated subkeys. If the last block is a 387 complete block (true), then M_last is the exclusive-OR of M_n and 388 K1. Otherwise, M_last is the exclusive-OR of padding(M_n) and K2. 390 In step 5, the variable X is initialized. 392 In step 6, the basic CBC-MAC is applied to M_1,...,M_{n-1},M_last. 394 In step 7, the 128-bit MAC, T := AES-CMAC(K,M,len), is returned. 396 If necessary, truncation of the MAC is done before returning the 397 MAC. 399 2.5 MAC Verification Algorithm 401 The verification of the MAC is simply done by a MAC recomputation. 402 We use the MAC generation algorithm which is described in section 403 2.4. 405 The MAC verification algorithm, Verify_MAC(), takes four inputs, 406 a secret key, a message, the length of the message in bytes, and 407 the received MAC. 408 They are denoted by K, M, len, and T' respectively. 410 The output of the MAC verification algorithm is either INVALID or 411 VALID. 413 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 414 + Algorithm Verify_MAC + 415 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 416 + + 417 + Input : K ( 128-bit Key ) + 418 + : M ( message to be verified ) + 419 + : len ( length of the message in bytes ) + 420 + : T' ( the received MAC to be verified ) + 421 + Output : INVALID or VALID + 422 + + 423 +-------------------------------------------------------------------+ 424 + + 425 + Step 1. T* := AES-CMAC(K,M,len); + 426 + Step 2. if T* = T' + 427 + then + 428 + return VALID; + 429 + else + 430 + return INVALID; + 431 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 432 Figure 2.4 Algorithm Verify_MAC 434 Figure 2.4 describes the MAC verification algorithm. 436 In step 1, T* is derived from K, M and len through the MAC generation 437 algorithm. 439 In step 2, T* and T' are compared. If T*=T', then return VALID, 440 otherwise return INVALID. 442 If the output is INVALID, then the message is definitely not 443 authentic, i.e., it did not originate from a source that executed 444 the generation process on the message to produce the purported MAC. 446 If the output is VALID, then the design of the AES-CMAC provides 447 assurance that the message is authentic and, hence, was not 448 corrupted in transit; however, this assurance, as for any MAC 449 algorithm, is not absolute. 451 3. Security Considerations 453 The security provided by AES-CMAC is based upon the strength of AES. 454 At the time of this writing there are no practical cryptographic 455 attacks against AES or AES-CMAC. 457 As is true with any cryptographic algorithm, part of its strength 458 lies in the correctness of the algorithm implementation, the 459 security of the key management mechanism and its implementation, the 460 strength of the associated secret key, and upon the correctness of 461 the implementation in all of the participating systems. 463 This document contains test vectors to assist in verifying the 464 correctness of AES-CMAC code. 466 4. Test Vectors 468 Following test vectors are the same as those of [NIST-CMAC]. 469 The following vectors are also output of the test program in 470 appendix A. 472 -------------------------------------------------- 473 Subkey Generation 474 K 2b7e1516 28aed2a6 abf71588 09cf4f3c 475 AES-128(key,0) 7df76b0c 1ab899b3 3e42f047 b91b546f 476 K1 fbeed618 35713366 7c85e08f 7236a8de 477 K2 f7ddac30 6ae266cc f90bc11e e46d513b 478 -------------------------------------------------- 480 -------------------------------------------------- 481 Example 1: len = 0 482 M 483 AES-CMAC bb1d6929 e9593728 7fa37d12 9b756746 484 -------------------------------------------------- 486 Example 2: len = 16 487 M 6bc1bee2 2e409f96 e93d7e11 7393172a 488 AES-CMAC 070a16b4 6b4d4144 f79bdd9d d04a287c 489 -------------------------------------------------- 491 Example 3: len = 40 492 M 6bc1bee2 2e409f96 e93d7e11 7393172a 493 ae2d8a57 1e03ac9c 9eb76fac 45af8e51 494 30c81c46 a35ce411 495 AES-CMAC dfa66747 de9ae630 30ca3261 1497c827 496 -------------------------------------------------- 498 Example 4: len = 64 499 M 6bc1bee2 2e409f96 e93d7e11 7393172a 500 ae2d8a57 1e03ac9c 9eb76fac 45af8e51 501 30c81c46 a35ce411 e5fbc119 1a0a52ef 502 f69f2445 df4f9b17 ad2b417b e66c3710 503 AES-CMAC 51f0bebf 7e3b9d92 fc497417 79363cfe 504 -------------------------------------------------- 506 5. Acknowledgement 508 Portions of this text here in is borrowed from [NIST-CMAC]. 509 We appreciate OMAC1 authors and SP 800-38B author, and Russ Housley 510 for his useful comments and guidance that have been incorporated 511 herein. We also appreciate David Johnston for providing code of 512 the AES block cipher. 514 6. Author's Address 516 Junhyuk Song 517 University of Washington 518 Samsung Electronics 519 (206) 853-5843 520 songlee@ee.washington.edu 521 junhyuk.song@samsung.com 523 Jicheol Lee 524 Samsung Electronics 525 +82-31-279-3605 526 jicheol.lee@samsung.com 528 Radha Poovendran 529 Network Security Lab 530 University of Washington 531 (206) 221-6512 532 radha@ee.washington.edu 534 Tetsu Iwata 535 Ibaraki University 536 iwata@cis.ibaraki.ac.jp 538 7. References 540 [NIST-CMAC] NIST, SP 800-38B, "Recommendation for Block Cipher 541 Modes of Operation: The CMAC Mode for Authentication," 542 May 2005. 543 http://csrc.nist.gov/publications/nistpubs/800-38B/ 544 SP_800-38B.pdf 546 [NIST-AES] NIST, FIPS 197, "Advanced Encryption Standard (AES)," 547 November 2001. http://csrc.nist.gov/publications/fips/ 548 fips197/fips-197.pdf 550 [RFC-HMAC] Hugo Krawczyk, Mihir Bellare and Ran Canetti, 551 "HMAC: Keyed-Hashing for Message Authentication," 552 RFC2104, February 1997. 554 [OMAC1a] Tetsu Iwata and Kaoru Kurosawa, "OMAC: One-Key CBC MAC," 555 Fast Software Encryption, FSE 2003, LNCS 2887, 556 pp. 129-153, Springer-Verlag, 2003. 558 [OMAC1b] Tetsu Iwata and Kaoru Kurosawa, "OMAC: One-Key CBC MAC," 559 Submission to NIST, December 2002. 560 Available from the NIST modes of operation web site at 561 http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/ 562 omac/omac-spec.pdf 564 [XCBCa] John Black and Phillip Rogaway, "A Suggestion for 565 Handling Arbitrary-Length Messages with the CBC MAC," 566 NIST Second Modes of Operation Workshop, August 2001. 567 Available from the NIST modes of operation web site at 568 http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/ 569 xcbc-mac/xcbc-mac-spec.pdf 571 [XCBCb] John Black and Phillip Rogaway, "CBC MACs for 572 Arbitrary-Length Messages: The Three-Key 573 Constructions," Journal of Cryptology, Vol. 18, No. 2, 574 pp. 111-132, Springer-Verlag, Spring 2005. 576 Appendix A. Test Code 578 /****************************************************************/ 579 /* AES-CMAC with AES-128 bit */ 580 /* AES-128 from David Johnston (802.16) */ 581 /* CMAC Algorithm described in SP800-38B draft */ 582 /* Author: Junhyuk Song (junhyuk.song@samsung.com) */ 583 /* Jicheol Lee (jicheol.lee@samsung.com) */ 584 /****************************************************************/ 586 #include 588 /******** SBOX Table *********/ 589 unsigned char sbox_table[256] = { 590 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 591 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, 592 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 593 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, 594 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 595 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15, 596 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 597 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, 598 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 599 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, 600 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 601 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, 602 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 603 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8, 604 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 605 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, 606 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 607 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73, 608 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 609 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb, 610 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 611 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, 612 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 613 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08, 614 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 615 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, 616 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 617 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, 618 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 619 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, 620 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 621 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 622 }; 623 /* For CMAC Calculation */ 624 unsigned char const_Rb[16] = { 625 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 626 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x87 627 }; 628 unsigned char const_Zero[16] = { 629 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 630 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 631 }; 633 /*****************************/ 634 /**** Function Prototypes ****/ 635 /*****************************/ 637 void xor_128(unsigned char *a, unsigned char *b, unsigned char *out); 638 void xor_32(unsigned char *a, unsigned char *b, unsigned char *out); 639 unsigned char sbox(unsigned char a); 640 void next_key(unsigned char *key, int round); 641 void byte_sub(unsigned char *in, unsigned char *out); 642 void shift_row(unsigned char *in, unsigned char *out); 643 void mix_column(unsigned char *in, unsigned char *out); 644 void add_round_key( unsigned char *shiftrow_in, 645 unsigned char *mcol_in, 646 unsigned char *block_in, 647 int round, 648 unsigned char *out); 650 void AES_128(unsigned char *key, unsigned char *data, unsigned char 651 *ciphertext); 652 void leftshift_onebit(unsigned char *input,unsigned char *output); 654 /****************************************/ 655 /* AES_128() */ 656 /* Performs a 128 bit AES encrypt with */ 657 /* 128 bit data. */ 658 /****************************************/ 660 void xor_128(unsigned char *a, unsigned char *b, unsigned char *out) 661 { 662 int i; 663 for (i=0;i<16; i++) 664 { 665 out[i] = a[i] ^ b[i]; 666 } 667 } 668 void xor_32(unsigned char *a, unsigned char *b, unsigned char *out) 669 { 670 int i; 671 for (i=0;i<4; i++) 672 { 673 out[i] = a[i] ^ b[i]; 674 } 675 } 677 unsigned char sbox(unsigned char a) 678 { 679 return sbox_table[(int)a]; 680 } 682 void next_key(unsigned char *key, int round) 683 { 684 unsigned char rcon; 685 unsigned char sbox_key[4]; 686 unsigned char rcon_table[12] = { 687 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 688 0x1b, 0x36, 0x36, 0x36 689 }; 691 sbox_key[0] = sbox(key[13]); 692 sbox_key[1] = sbox(key[14]); 693 sbox_key[2] = sbox(key[15]); 694 sbox_key[3] = sbox(key[12]); 695 rcon = rcon_table[round]; 697 xor_32(&key[0], sbox_key, &key[0]); 698 key[0] = key[0] ^ rcon; 700 xor_32(&key[4], &key[0], &key[4]); 701 xor_32(&key[8], &key[4], &key[8]); 702 xor_32(&key[12], &key[8], &key[12]); 703 } 705 void byte_sub(unsigned char *in, unsigned char *out) 706 { 707 int i; 708 for (i=0; i< 16; i++) 709 { 710 out[i] = sbox(in[i]); 711 } 712 } 713 void shift_row(unsigned char *in, unsigned char *out) 714 { 715 out[0] = in[0]; 716 out[1] = in[5]; 717 out[2] = in[10]; 718 out[3] = in[15]; 719 out[4] = in[4]; 720 out[5] = in[9]; 721 out[6] = in[14]; 722 out[7] = in[3]; 723 out[8] = in[8]; 724 out[9] = in[13]; 725 out[10] = in[2]; 726 out[11] = in[7]; 727 out[12] = in[12]; 728 out[13] = in[1]; 729 out[14] = in[6]; 730 out[15] = in[11]; 731 } 733 void mix_column(unsigned char *in, unsigned char *out) 734 { 735 int i; 736 unsigned char add1b[4]; 737 unsigned char add1bf7[4]; 738 unsigned char rotl[4]; 739 unsigned char swap_halfs[4]; 740 unsigned char andf7[4]; 741 unsigned char rotr[4]; 742 unsigned char temp[4]; 743 unsigned char tempb[4]; 745 for (i=0 ; i<4; i++) 746 { 747 if ((in[i] & 0x80)== 0x80) 748 add1b[i] = 0x1b; 749 else 750 add1b[i] = 0x00; 751 } 753 swap_halfs[0] = in[2]; /* Swap halfs */ 754 swap_halfs[1] = in[3]; 755 swap_halfs[2] = in[0]; 756 swap_halfs[3] = in[1]; 758 rotl[0] = in[3]; /* Rotate left 8 bits */ 759 rotl[1] = in[0]; 760 rotl[2] = in[1]; 761 rotl[3] = in[2]; 762 andf7[0] = in[0] & 0x7f; 763 andf7[1] = in[1] & 0x7f; 764 andf7[2] = in[2] & 0x7f; 765 andf7[3] = in[3] & 0x7f; 767 for (i = 3; i>0; i--) /* logical shift left 1 bit */ 768 { 769 andf7[i] = andf7[i] << 1; 770 if ((andf7[i-1] & 0x80) == 0x80) 771 { 772 andf7[i] = (andf7[i] | 0x01); 773 } 774 } 775 andf7[0] = andf7[0] << 1; 776 andf7[0] = andf7[0] & 0xfe; 778 xor_32(add1b, andf7, add1bf7); 780 xor_32(in, add1bf7, rotr); 782 temp[0] = rotr[0]; /* Rotate right 8 bits */ 783 rotr[0] = rotr[1]; 784 rotr[1] = rotr[2]; 785 rotr[2] = rotr[3]; 786 rotr[3] = temp[0]; 787 xor_32(add1bf7, rotr, temp); 788 xor_32(swap_halfs, rotl,tempb); 789 xor_32(temp, tempb, out); 790 } 792 void AES_128(unsigned char *key, unsigned char *data, unsigned char 793 *ciphertext) 794 { 795 int round; 796 int i; 797 unsigned char intermediatea[16]; 798 unsigned char intermediateb[16]; 799 unsigned char round_key[16]; 801 for(i=0; i<16; i++) round_key[i] = key[i]; 802 for (round = 0; round < 11; round++) 803 { 804 if (round == 0) 805 { 806 xor_128(round_key, data, ciphertext); 807 next_key(round_key, round); 808 } 810 else if (round == 10) 811 { 812 byte_sub(ciphertext, intermediatea); 813 shift_row(intermediatea, intermediateb); 814 xor_128(intermediateb, round_key, ciphertext); 815 } 816 else /* 1 - 9 */ 817 { 818 byte_sub(ciphertext, intermediatea); 819 shift_row(intermediatea, intermediateb); 820 mix_column(&intermediateb[0], &intermediatea[0]); 821 mix_column(&intermediateb[4], &intermediatea[4]); 822 mix_column(&intermediateb[8], &intermediatea[8]); 823 mix_column(&intermediateb[12], &intermediatea[12]); 824 xor_128(intermediatea, round_key, ciphertext); 825 next_key(round_key, round); 826 } 827 } 828 } 830 void print_hex(char *str, unsigned char *buf, int len) 831 { 832 int i; 834 for ( i=0; i=0; i-- ) { 868 output[i] = input[i] << 1; 869 output[i] |= overflow; 870 overflow = (input[i] & 0x80)?1:0; 871 } 872 return; 873 } 875 void generate_subkey(unsigned char *key, unsigned char *K1, unsigned 876 char *K2) 877 { 878 unsigned char L[16]; 879 unsigned char Z[16]; 880 unsigned char tmp[16]; 881 int i; 883 for ( i=0; i<16; i++ ) Z[i] = 0; 885 AES_128(key,Z,L); 887 if ( (L[0] & 0x80) == 0 ) { /* If MSB(L) = 0, then K1 = L << 1 */ 888 leftshift_onebit(L,K1); 889 } else { /* Else K1 = ( L << 1 ) (+) Rb */ 890 leftshift_onebit(L,tmp); 891 xor_128(tmp,const_Rb,K1); 892 } 894 if ( (K1[0] & 0x80) == 0 ) { 895 leftshift_onebit(K1,K2); 896 } else { 897 leftshift_onebit(K1,tmp); 898 xor_128(tmp,const_Rb,K2); 899 } 900 return; 901 } 902 void padding ( unsigned char *lastb, unsigned char *pad, int length ) 903 { 904 int j; 906 /* original last block */ 907 for ( j=0; j<16; j++ ) { 908 if ( j < length ) { 909 pad[j] = lastb[j]; 910 } else if ( j == length ) { 911 pad[j] = 0x80; 912 } else { 913 pad[j] = 0x00; 914 } 915 } 916 } 918 void AES_CMAC ( unsigned char *key, unsigned char *input, int length, 919 unsigned char *mac ) 920 { 921 unsigned char X[16],Y[16], M_last[16], padded[16]; 922 unsigned char K1[16], K2[16]; 923 int n, i, flag; 924 generate_subkey(key,K1,K2); 926 n = (length+15) / 16; /* n is number of rounds */ 928 if ( n == 0 ) { 929 n = 1; 930 flag = 0; 931 } else { 932 if ( (length%16) == 0 ) { /* last block is a complete block */ 933 flag = 1; 934 } else { /* last block is not complete block */ 935 flag = 0; 936 } 937 } 939 if ( flag ) { /* last block is complete block */ 940 xor_128(&input[16*(n-1)],K1,M_last); 941 } else { 942 padding(&input[16*(n-1)],padded,length%16); 943 xor_128(padded,K2,M_last); 944 } 946 for ( i=0; i<16; i++ ) X[i] = 0; 947 for ( i=0; i\n"); 990 AES_CMAC(key,M,0,T); 991 printf("AES_CMAC "); print128(T); printf("\n"); 993 printf("\nExample 2: len = 16\n"); 994 printf("M "); print_hex(" ",M,16); 995 AES_CMAC(key,M,16,T); 996 printf("AES_CMAC "); print128(T); printf("\n"); 997 printf("\nExample 3: len = 40\n"); 998 printf("M "); print_hex(" ",M,40); 999 AES_CMAC(key,M,40,T); 1000 printf("AES_CMAC "); print128(T); printf("\n"); 1001 printf("\nExample 4: len = 64\n"); 1002 printf("M "); print_hex(" ",M,64); 1003 AES_CMAC(key,M,64,T); 1004 printf("AES_CMAC "); print128(T); printf("\n"); 1006 printf("--------------------------------------------------\n"); 1008 return 0; 1009 } 1011 Intellectual Property Statement 1013 The IETF takes no position regarding the validity or scope of any 1014 Intellectual Property Rights or other rights that might be claimed to 1015 pertain to the implementation or use of the technology described in 1016 this document or the extent to which any license under such rights 1017 might or might not be available; nor does it represent that it has 1018 made any independent effort to identify any such rights. Information 1019 on the procedures with respect to rights in RFC documents can be 1020 found in BCP 78 and BCP 79. 1022 Copies of IPR disclosures made to the IETF Secretariat and any 1023 assurances of licenses to be made available, or the result of an 1024 attempt made to obtain a general license or permission for the use of 1025 such proprietary rights by implementers or users of this 1026 specification can be obtained from the IETF on-line IPR repository at 1027 http://www.ietf.org/ipr. 1029 The IETF invites any interested party to bring to its attention any 1030 copyrights, patents or patent applications, or other proprietary 1031 rights that may cover technology that may be required to implement 1032 this standard. Please address the information to the IETF at 1033 ietf-ipr@ietf.org. 1035 Disclaimer of Validity 1037 This document and the information contained herein are provided on an 1038 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1039 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1040 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1041 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1042 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1043 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1045 Copyright Statement 1047 Copyright (C) The Internet Society (2005). This document is subject 1048 to the rights, licenses and restrictions contained in BCP 78, and 1049 except as set forth therein, the authors retain all their rights. 1051 Acknowledgment 1053 Funding for the RFC Editor function is currently provided by the 1054 Internet Society.