idnits 2.17.00 (12 Aug 2021) /tmp/idnits26101/draft-songlee-aes-cmac-96-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 14. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1019. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 996. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1003. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1009. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** There is 1 instance of too long lines in the document, the longest one being 1 character in excess of 72. ** There are 34 instances of lines with control characters in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 273 has weird spacing: '...onst_Rb is 0...' == Line 326 has weird spacing: '...onst_Rb is 0...' == Line 334 has weird spacing: '... flag for ...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '3' on line 726 -- Looks like a reference, but probably isn't: '5' on line 660 -- Looks like a reference, but probably isn't: '256' on line 529 -- Looks like a reference, but probably isn't: '16' on line 926 -- Looks like a reference, but probably isn't: '4' on line 763 -- Looks like a reference, but probably isn't: '12' on line 915 -- Looks like a reference, but probably isn't: '0' on line 836 -- Looks like a reference, but probably isn't: '13' on line 668 -- Looks like a reference, but probably isn't: '1' on line 724 -- Looks like a reference, but probably isn't: '14' on line 669 -- Looks like a reference, but probably isn't: '2' on line 725 -- Looks like a reference, but probably isn't: '15' on line 670 -- Looks like a reference, but probably isn't: '8' on line 764 -- Looks like a reference, but probably isn't: '10' on line 665 -- Looks like a reference, but probably isn't: '9' on line 664 -- Looks like a reference, but probably isn't: '6' on line 669 -- Looks like a reference, but probably isn't: '7' on line 666 -- Looks like a reference, but probably isn't: '11' on line 670 -- Looks like a reference, but probably isn't: '64' on line 916 -- Possible downref: Non-RFC (?) normative reference: ref. 'NIST-CMAC' -- Possible downref: Non-RFC (?) normative reference: ref. 'AES' -- Possible downref: Non-RFC (?) normative reference: ref. 'OMAC1' ** Obsolete normative reference: RFC 2402 (ref. 'AH') (Obsoleted by RFC 4302, RFC 4305) ** Obsolete normative reference: RFC 2411 (ref. 'ROADMAP') (Obsoleted by RFC 6071) -- Possible downref: Non-RFC (?) normative reference: ref. 'XCBC' Summary: 8 errors (**), 0 flaws (~~), 5 warnings (==), 31 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 JunHyuk Song 2 Jicheol Lee 3 INTERNET DRAFT Samsung Electronics 4 Expires: November 20, 2005 May 19 2005 6 The AES-CMAC-96 Algorithm and its use with IPsec 7 draft-songlee-aes-cmac-96-00.txt 9 Status of This Memo 11 By submitting this Internet-Draft, each author represents that any 12 applicable patent or other IPR claims of which he or she is aware 13 have been or will be disclosed, and any of which he or she becomes 14 aware will be disclosed, in accordance with Section 6 of BCP 79. 16 Internet-Drafts are working documents of the Internet Engineering 17 Task Force (IETF), its areas, and its working groups. Note that 18 other groups may also distribute working documents as Internet- 19 Drafts. 21 Internet-Drafts are draft documents valid for a maximum of six months 22 and may be updated, replaced, or obsoleted by other documents at any 23 time. It is inappropriate to use Internet-Drafts as reference 24 material or to cite them other than as "work in progress." 26 The list of current Internet-Drafts can be accessed at 27 http://www.ietf.org/ietf/1id-abstracts.txt. 29 The list of Internet-Draft Shadow Directories can be accessed at 30 http://www.ietf.org/shadow.html. 32 Copyright Notice 34 Copyright (C) The Internet Society (2005). 36 Abstract 38 National Institute of Standards and Technology (NIST) has newly 39 specified the Cipher based MAC (CMAC) which is equivalent to the 40 One-Key CBC-MAC1 (OMAC1) algorithm submitted by Iwata and Kurosawa. 41 OMAC1 efficiently reduces the key size of Extended Cipher Block 42 Chaining mode (XCBC). This memo specifies the use of CMAC mode on 43 authentication mechanism of IPsec Encapsulating Security Payload 44 (ESP) and the Authentication Header (AH) protocols. This new 45 algorithm is named AES-CMAC-96. 47 Table of Contents 49 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 2 50 2. Specification of Language . . . . . . . . . . . . . . . . 2 51 3. AES-CMAC Algorithm . . . . . . . . . . . . . . . . . . . . 3 52 3.1 Basic Definitions. . . . . . . . . . . . . . . . . . . . . 3 53 3.2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . 4 54 3.3 Input and Output . . . . . . . . . . . . . . . . . . . . . 5 55 3.3.1 Input . . . . . . . . . . . . . . . . . . . . . . . . . 5 56 3.3.2 Output . . . . . . . . . . . . . . . . . . . . . . . . . 5 57 3.4 Padding . . . . . . . . . . . . . . . . . . . . . . . . . 6 58 3.5 Subkey Generation . . . . .. . . . . . . . . . . . . . . . 6 59 3.6 AES-CMAC Generation . . . . . . . . . . . . . . . . . . . 7 60 3.7 AES-CMAC-96 . . . . . . . . . . . . . . . . . . . . . . . 9 61 4. Interaction with the ESP Cipher Mechanism . . . . . . . . 9 62 5. Security Considerations . . . . . . . . . . . . . . . . . . 9 63 6. IANA Consideration . . . . . .. . . . . . . . . . . . . . . 10 64 7. Intellectual Property Rights Statement . . . . . . . . . . 10 65 8. References . . . . . . . . . . . . . . . . . . . . . . . . 10 66 9. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . 10 67 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . 11 68 Appendix B. Test Code . .. . . . . . . . . . . . . . . . . . . 12 70 1. Introduction 72 National Institute of Standards and Technology (NIST) has newly 73 specified the Cipher based MAC (CMAC). CMAC [NIST-CMAC] is a keyed 74 hashed function that is based on a symmetric key block cipher such 75 as Advanced Encryption Standard [AES]. CMAC is equivalent to the 76 One-Key CBC-MAC1 (OMAC1) algorithm submitted by Iwata and Kurosawa 77 [OMAC1]. Although the OMAC1 algorithm is based on the eXtended Cipher 78 Block Chaining mode (XCBC) algorithm submitted by Rogaway and Black 79 [XCBC], OMAC1 efficiently reduces the key size of XCBC. 80 This memo specifies the usage of CMAC on authentication mechanism 81 of IPsec Encapsulating Security Payload (ESP) and the Authentication 82 Header (AH) protocols. This new algorithm is named AES-CMAC-96. 83 For further information on AH and ESP, refer to [AH] and [ROADMAP]. 85 2. Specification of Language 87 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 88 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 89 document are to be interpreted as described in RFC 2119 [3]. 91 In addition, the following words are used to signify the requirements 92 of the specification. 94 3. AES-CMAC Algorithm 96 3.1 Basic definitions 98 The following table describes the basic definitions necessary to 99 explain CMAC algorithm and definitions. 101 || Concatenation. 102 a || b means the concatenation a with following b. 104 XOR Exclusive OR. 105 a XOR b means the result of exclusive-OR'ing a 106 with b. 108 [x] Ceiling function. 109 [3.5] results 4. [5] results 5. 111 << Left-shift operation. 112 10010001 << 1 is equal to 00100010. 114 x^y y-times repeated x. 115 0^3 means that 000 in binary format 116 10^4 means that 10000 in binary format 117 10^i means that 1 and i-times repeated 0. 119 CBC Cipher Block Chaining mode of operation for message 120 authentication code. 122 MAC Message Authentication Code. 123 A bitstring of a fixed length, computed by MAC 124 generation algorithm, that is used to established 125 the authority and hence, the integrity of a message. 127 CMAC Cipher-based MAC based on an approved symmetric key 128 block cipher, such as the Advanced Encryption 129 Standard. 131 MSB(x) The most-significant bit of x. 132 MSB(10010001) means 1. 134 padding(x) 10^i padded output of input x. 135 It is described in detail in section 3. 137 Key (K) 128-bits (16bytes) long key for AES-128 cipher block. 138 Denoted by K. 140 K1 First subkey, K1 is generated by subkey generation 141 method. 143 K2 Second subkey, K2 is generated by subkey generation 144 method. 146 Message (M) Message to be authenticated. 147 Denoted by M. 148 The total message M is denoted by sequence of M_i 149 where M_i is the i'th block with size 128-bit. 150 Message can be null message which means that the 151 length of M is 0. 153 Length (len) The length of message M in bytes. 154 Denoted by len. 155 Minimum value of the length can be 0. The maximum 156 value of the length is not specified in this document. 158 truncate(T,l) Truncate T (MAC) in msb-first order with l bytes. 160 T The output of CMAC-AES-128. 162 Truncated T The truncated output of CMAC-AES-128 in MSB first 163 order. 165 AES-128(K,M) 128-bit ciphertext, output of performing AES-128 166 cipher block of 128-bit plaintext M with 128-bit 167 Key K 169 AES-CMAC CMAC generation function based on AES block cipher 170 with 128-bits key 172 AES-CMAC-96 IPsec AH and ESP MAC generation function based on 173 CMAC-AES-128 which truncates MSB 96 bits of 128 bits 174 output 175 3.2 Overview 177 The Advanced Encryption Standard [AES] is recently defined symmetric 178 key block cipher by NIST. AES-CMAC algorithm uses the CBC mode of 179 operation based on block cipher with 128-bit key for message 180 authentication code generation. In CBC-mode uses output of the 181 cipher block in order to exclusive-or with next input block. 182 The output of CMAC-mode will provide data integrity over whole 183 input message. 185 There are two cases of operation in CMAC. Figure 3.1 illustrated the 186 operation of CBC-MAC with two cases. If the size of input 187 message block is equal to multiple of block size namely 128-bits, 188 the last block processing shall be exclusive-OR'ed with K1. 189 Otherwise, the last block shall be padded with 10^i (notation is 190 described in section 3.1) and exclusive-OR'ed with K2. The result 191 of the previous process will be the input of the last CBC operation. 193 +-----+ +-----+ +-----+ +-----+ +-----+ +---+----+ 194 | M_1 | | M_2 | | M_n | | M_1 | | M_2 | |M_n|10^i| 195 +-----+ +-----+ +-----+ +-----+ +-----+ +---+----+ 196 | | | | | | 197 | +--->(+) +--->(+)<- K1 | +--->(+) +--->(+)<- K2 198 | | | | | | | | | | 199 +-----+ | +-----+ | +-----+ +-----+ | +-----+ | +-----+ 200 | E_k | | | E_k | | | E_k | | E_k | | | E_k | | | E_k | 201 +-----+ | +-----+ | +-----+ +-----+ | +-----+ | +-----+ 202 | | | | | | | | | | 203 +-----+ +-----+ | +-----+ +-----+ | 204 | | 205 T T 206 (a) multiple block size (b) not multiple block size 208 Figure 3.1 Illustration of two cases of CMAC generation 210 E_k is cipher block function with key, k. In this memo, 211 E is the AES-128 cipher block and k is input key namely K. 212 M_i means the message block with length 128-bit where i = 1...n. 213 K1 is the key for the case (a). 214 K2 is the key for the case (b). 215 K1 and K2 is generated by subkey generation method described in 216 section 3.4.2. 218 3.3 Input and Output 220 3.3.1 Input 222 A given block cipher and key typically fixed across most CMAC 223 invocations are called prerequisites. A given block cipher in 224 this memo is AES-128 and length of key is 128-bits (16bytes). 225 Other input parameters defined in this memo are 'M' denoting 226 the message to be authenticated and 'len' denoting the length 227 of message M in bytes. The total message M is denoted by sequence 228 of M_i where M_i is the i'th block with size 128-bit. 230 3.3.2 Output 232 The output of AES-CMAC can validate the input message. 233 Validating the message provide assurance of the integrity and 234 authenticity over the message from the source. According to 235 [NIST-CMAC] at least 64-bits should be used for against guessing 236 attack. Result of truncation should be taken in most significant 237 bits first order. 239 3.4 Padding 241 AES-CMAC uses cipher block with fixed length (128-bit). There 242 should be a special treatment in case that the length of plaintext is 243 not divided by cipher block length. The special treatment is to pad 244 10^i bit-string for adjusting size of the last-block up to the cipher 245 block length. 247 The method of padding is described as [OMAC1]. 248 Padding(x) means 10^i padded output with 128-bit length. 249 If the input x has length r-bytes, padding(x) is defined as follows: 251 - padding(x) = x || 10^i where i is 128-8*r-1 253 3.5 Subkey Generation 255 AES-CMAC algorithm requires the subkeys K1 and K2. K1 is used 256 for the case that the size of last block is equal to cipher block 257 size. K2 is used for the case that the size of last block is less 258 than cipher block size. 260 Through Generate_Subkey algorithm, we get K1 and K2 from the input K 261 which is the input key described 3.3. 263 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 264 + Algorithm Generate_Subkey + 265 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 266 + + 267 + Input : K (128-bit Key described in section 4.1) + 268 + Output : K1 (128-bit subkey) + 269 + K2 (128-bit subkey) + 270 +-------------------------------------------------------------------+ 271 + + 272 + Constants: const_Zero is 0x00000000000000000000000000000000 + 273 + const_Rb is 0x00000000000000000000000000000087 + 274 + Variables: L for output of AES-128 applied to 0^128 + 275 + + 276 + Step 1. L := AES-128(K, const_Zero); + 277 + Step 2. if MSB(L) is equal to 0 + 278 + then K1 := L << 1; + 279 + else K1 := (L << 1) XOR const_Rb; + 280 + Step 3. if MSB(K1) is equal to 0 + 281 + then K2 := K1 << 1; + 282 + else K2 := (K1 << 1) XOR const_Rb; + 283 + Step 4. return K1, K2; + 284 + + 285 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 287 Figure 3.2 Generate_Subkey Algorithm 288 Figure 3.2 describes the algorithm generating subkeys. 289 In step 1. AES-128 is applied to all zero bits with key k 290 In step 2 Derive K1 through following operation: 291 If the most significant bit of L is equal to 0, left-shift L by 1 292 bit. Otherwise, exclusive-OR const_Rb with the result of 1-bit 293 left-shift of L. 294 In step 3. Derive K2 through following operation. 295 If the most significant bit of K1 is equal to 0, we just left-shift 296 K1 by 1 bit. Otherwise, we exclusive-OR const_Rb with the result 297 of 1-bit left-shift of K1. In step 4. return K1 and K2. 299 The mathematical meaning of procedure in step 2 and step 3 including 300 const_Rb can be found in [OMAC1]. 302 3.6 AES-CMAC Generation 304 To perform the algorithm, we should have Generate_Subkey algorithm 305 which is described in section 3.4.2 and padding function which is 306 used in case that the size of last block is less than the cipher 307 block size. 309 Inputs of AES-CMAC are K, M, len which are described in section 3.3. 311 Output of AES-CMAC is T which is the authentication code described 312 in section 3.3. 314 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 315 + Algorithm AES-CMAC + 316 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 317 + + 318 + Input : K ( 128-bit Symmetric Key ) + 319 + : M ( message to be authenticated ) + 320 + : len ( length of message in bytes ) + 321 + Output : T ( message authenticated code ) + 322 + + 323 +-------------------------------------------------------------------+ 324 + + 325 + Constants: const_Zero is 0x00000000000000000000000000000000 + 326 + const_Rb is 0x00000000000000000000000000000087 + 327 + const_Bsize is 16 in bytes for 128-bit block + 328 + + 329 + Variables: K1, K2 for 128-bit subkeys + 330 + M_i means i'th 128-bit block (i=1..[M/const_Bsize]) + 331 + M_last for last block xor-ed with K1 or K2 + 332 + n for number of block to be processed + 333 + r for number of bytes of last block + 334 + flag for denoting if last block is complete or not + 335 + + 336 + Step 1. (K1,K2) := Generate_Subkey(K); + 337 + Step 2. n := [ len/const_Bsize ]; + 338 + Step 3. if n = 0 + 339 + then + 340 + n := 1; + 341 + flag := false; + 342 + else + 343 + if len mod const_Bsize is 0 + 344 + then flag := true; + 345 + else flag := false; + 346 + + 347 + Step 4. if flag is true + 348 + then M_last := M_n XOR K1; + 349 + else M_last := padding(M_n) XOR K2; + 350 + Step 5. X := const_Zero; + 351 + Step 6. for i := 1 to n-1 do + 352 + begin + 353 + Y := X XOR M_i; + 354 + X := AES-128(K,Y); + 355 + end + 356 + Y := M_last XOR X; + 357 + X := AES-128(K,Y); + 358 + Step 7. return T; + 359 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 361 Figure 3.3 AES-CMAC Algorithm 363 Figure 3.3 describes the AES-CMAC authentication code generation 364 algorithm 366 In step 1, we derive subkeys, K1 and K2 with K 367 In step 2, we calculate the number of blocks. The number of blocks 368 is a smallest integer value greater than or equal to quotient by 369 dividing length parameter by 128-bit (16 bytes). 370 In step 3, we check if the last block is complete block. 371 If the input length is less than 128-bit (16 bytes), the number of 372 blocks to be processed shall be 1 and we mark the flag as 373 not-complete-block (false). Otherwise, if the last block size is 374 128-bit, we mark the flag as complete-block (true), else we mark 375 the flag as not-complete-block (false). 376 In step 4, we pre-calculate the M_last block with exclusive-OR'ing 377 previously calculated subkeys. If the last block is complete block 378 (true), we should exclusive-OR the last block with K1. 379 Otherwise, we should exclusive-OR the padded last block with K2. 380 In step 5. we initialize the variable X. 381 In step 6. We perform AES-CBC mode of operation with the input 382 message M_1 to M_{n-1}. And the M_last which is calculated in step 383 4, shall be the last input block for CBC mode of operation. 384 In step 7. we finally return authentication code with 128-bit. 386 3.7 AES-CMAC-96 388 For use in IPsec message authentication on AH and ESP, AES-CMAC-96 389 should be used. AES-CMAC-96 is a AES-CMAC with 96-bit-long 390 truncated output in most significant bit first order. The output of 391 96 bits MAC that will meet the default authenticator length as 392 specified in [AH] 394 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 395 + Algorithm AES-CMAC-96 + 396 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 397 + + 398 + Input : K (128-bit Key described in section 4.1) + 399 + : M ( message to be authenticated ) + 400 + : len ( length of message in bytes ) + 401 + Output : Truncated T (Truncated output with length 12 bytes) + 402 + + 403 +-------------------------------------------------------------------+ 404 + + 405 + Step 1. T := CMAC-AES-128 (K,M,len); + 406 + Step 2. TT := truncate (T, 12); + 407 + return TT; + 408 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 410 Figure 3.4 Algorithm AES-CMAC-96 412 Figure 3.4 describes AES-CMAC-96 algorithm. 414 In step 1, we perform AES-CMAC in Figure 3.3. 415 In step 2, we truncate T with 12 byte in msb-first-order and return 416 TT. 418 4. Interaction with the ESP Cipher Mechanism 420 As of this writing, there are no known issues which preclude the use 421 of AES-CMAC-96 with any specific cipher algorithm. 423 5. Security Considerations 425 The security provided by AES-CMAC-96 is based upon the strength of 426 AES. At the time of this writing there are no practical 427 cryptographic attacks against AES or AES-CMAC-96. 429 As is true with any cryptographic algorithm, part of its strength 430 lies in the correctness of the algorithm implementation, the security 431 of the key management mechanism and its implementation, the strength 432 of the associated secret key, and upon the correctness of the 433 implementation in all of the participating systems. This document 434 contains test vectors to assist in verifying the correctness of 435 AES-CMAC-96 code. 437 6. IANA Consideration 439 TBD 441 7. Acknowledgement 443 Portions of this text were borrowed from [NIST-CMAC] and 444 [AES-XCBC-MAC]. We would like to thank to OMAC1 author Tetsu Iwata 445 and Kaoru Kurosawa, and CMAC author Morris Dworkin, and special 446 thanks to David Johnston for providing AES cipher block test code. 448 8. References 450 [NIST-CMAC] NIST, Special Publication 800-38B Draft,"Recommendation 451 for Block Cipher Modes of Operation: The CMAC Method 452 for Authentication," March 9, 2005 454 [AES] NIST, FIPS 197, "Advanced Encryption Standard (AES)," 455 November 2001. 456 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf 458 [OMAC1] "OMAC: One-Key CBC MAC," Tetsu Iwata and Kaoru Kurosawa, 459 Department of Computer and Information Sciences, 460 Ilbaraki University, March 10, 2003. 462 [AES-XCBC-MAC] Frankel, S. and H. Herbert, "The AES-XCBC-MAC-96 463 Algorithm and Its Use With IPsec", RFC 3566, September 464 2003. 466 [AH] Kent, S. and R. Atkinson, "IP Authentication Header", 467 RFC 2402, November 1998. 469 [ROADMAP] Thayer, R., N. Doraswamy, and R. Glenn, "IP Security 470 Document Roadmap", RFC 2411, November 1998. 472 [XCBC] Black, J. and P. Rogaway, "A Suggestion for Handling 473 Arbitrary-Length Messages with the CBC MAC," NIST 474 Second Modes of Operation Workshop, August 2001. 475 http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/ 476 xcbc-mac/xcbc-mac-spec.pdf 477 Appendix A. Test Vectors 479 Following test vectors are same as that of [NIST-CMAC]. 480 The following vectors are also output of the test program of 481 appendix B. 483 -------------------------------------------------- 484 K 2b7e1516 28aed2a6 abf71588 09cf4f3c 486 Subkey Generation 487 AES_128(key,0) 7df76b0c 1ab899b3 3e42f047 b91b546f 488 K1 fbeed618 35713366 7c85e08f 7236a8de 489 K2 f7ddac30 6ae266cc f90bc11e e46d513b 491 Example 1: len = 0 492 M 493 AES_CMAC bb1d6929 e9593728 7fa37d12 9b756746 494 AES_CMAC_96 bb1d6929 e9593728 7fa37d12 496 Example 2: len = 16 497 M 6bc1bee2 2e409f96 e93d7e11 7393172a 498 AES_CMAC 070a16b4 6b4d4144 f79bdd9d d04a287c 499 AES_CMAC_96 070a16b4 6b4d4144 f79bdd9d 501 Example 3: len = 40 502 M 6bc1bee2 2e409f96 e93d7e11 7393172a 503 ae2d8a57 1e03ac9c 9eb76fac 45af8e51 504 30c81c46 a35ce411 505 AES_CMAC dfa66747 de9ae630 30ca3261 1497c827 506 AES_CMAC_96 dfa66747 de9ae630 30ca3261 508 Example 4: len = 64 509 M 6bc1bee2 2e409f96 e93d7e11 7393172a 510 ae2d8a57 1e03ac9c 9eb76fac 45af8e51 511 30c81c46 a35ce411 e5fbc119 1a0a52ef 512 f69f2445 df4f9b17 ad2b417b e66c3710 513 AES_CMAC 51f0bebf 7e3b9d92 fc497417 79363cfe 514 AES_CMAC_96 51f0bebf 7e3b9d92 fc497417 515 -------------------------------------------------- 516 Appendix B. Test Code 518 /****************************************************************/ 519 /* AES-CMAC with AES-128 bit */ 520 /* AES-128 from David Johnston (802.16) */ 521 /* CMAC-AES Algorithm described in SP800-38B draft */ 522 /* Author: Junhyuk Song (junhyuk.song@samsung.com) */ 523 /* Jicheol Lee (jicheol.lee@samsung.com) */ 524 /****************************************************************/ 526 #include 528 /******** SBOX Table *********/ 529 unsigned char sbox_table[256] = { 530 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 531 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, 532 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 533 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, 534 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 535 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15, 536 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 537 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, 538 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 539 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, 540 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 541 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, 542 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 543 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8, 544 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 545 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, 546 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 547 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73, 548 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 549 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb, 550 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 551 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, 552 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 553 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08, 554 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 555 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, 556 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 557 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, 558 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 559 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, 560 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 561 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 562 }; 563 /* For CMAC Calculation */ 564 unsigned char const_Rb[16] = { 565 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 566 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x87 567 }; 568 unsigned char const_Zero[16] = { 569 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 570 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 571 }; 573 /*****************************/ 574 /**** Function Prototypes ****/ 575 /*****************************/ 577 void xor_128(unsigned char *a, unsigned char *b, unsigned char *out); 578 void xor_32(unsigned char *a, unsigned char *b, unsigned char *out); 579 unsigned char sbox(unsigned char a); 580 void next_key(unsigned char *key, int round); 581 void byte_sub(unsigned char *in, unsigned char *out); 582 void shift_row(unsigned char *in, unsigned char *out); 583 void mix_column(unsigned char *in, unsigned char *out); 584 void add_round_key( unsigned char *shiftrow_in, 585 unsigned char *mcol_in, 586 unsigned char *block_in, 587 int round, 588 unsigned char *out); 589 void AES_128(unsigned char *key, unsigned char *data, unsigned char 590 *ciphertext); 591 void leftshift_onebit(unsigned char *input,unsigned char *output); 593 /****************************************/ 594 /* AES_128() */ 595 /* Performs a 128 bit AES encrypt with */ 596 /* 128 bit data. */ 597 /****************************************/ 599 void xor_128(unsigned char *a, unsigned char *b, unsigned char *out) 600 { 601 int i; 602 for (i=0;i<16; i++) 603 { 604 out[i] = a[i] ^ b[i]; 605 } 606 } 607 void xor_32(unsigned char *a, unsigned char *b, unsigned char *out) 608 { 609 int i; 610 for (i=0;i<4; i++) 611 { 612 out[i] = a[i] ^ b[i]; 613 } 614 } 616 unsigned char sbox(unsigned char a) 617 { 618 return sbox_table[(int)a]; 619 } 621 void next_key(unsigned char *key, int round) 622 { 623 unsigned char rcon; 624 unsigned char sbox_key[4]; 625 unsigned char rcon_table[12] { 626 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 627 0x1b, 0x36, 0x36, 0x36 628 }; 630 sbox_key[0] = sbox(key[13]); 631 sbox_key[1] = sbox(key[14]); 632 sbox_key[2] = sbox(key[15]); 633 sbox_key[3] = sbox(key[12]); 635 rcon = rcon_table[round]; 637 xor_32(&key[0], sbox_key, &key[0]); 638 key[0] = key[0] ^ rcon; 640 xor_32(&key[4], &key[0], &key[4]); 641 xor_32(&key[8], &key[4], &key[8]); 642 xor_32(&key[12], &key[8], &key[12]); 643 } 645 void byte_sub(unsigned char *in, unsigned char *out) 646 { 647 int i; 648 for (i=0; i< 16; i++) 649 { 650 out[i] = sbox(in[i]); 651 } 652 } 653 void shift_row(unsigned char *in, unsigned char *out) 654 { 655 out[0] = in[0]; 656 out[1] = in[5]; 657 out[2] = in[10]; 658 out[3] = in[15]; 659 out[4] = in[4]; 660 out[5] = in[9]; 661 out[6] = in[14]; 662 out[7] = in[3]; 663 out[8] = in[8]; 664 out[9] = in[13]; 665 out[10] = in[2]; 666 out[11] = in[7]; 667 out[12] = in[12]; 668 out[13] = in[1]; 669 out[14] = in[6]; 670 out[15] = in[11]; 671 } 673 void mix_column(unsigned char *in, unsigned char *out) 674 { 675 int i; 676 unsigned char add1b[4]; 677 unsigned char add1bf7[4]; 678 unsigned char rotl[4]; 679 unsigned char swap_halfs[4]; 680 unsigned char andf7[4]; 681 unsigned char rotr[4]; 682 unsigned char temp[4]; 683 unsigned char tempb[4]; 685 for (i=0 ; i<4; i++) 686 { 687 if ((in[i] & 0x80)== 0x80) 688 add1b[i] = 0x1b; 689 else 690 add1b[i] = 0x00; 691 } 693 swap_halfs[0] = in[2]; /* Swap halfs */ 694 swap_halfs[1] = in[3]; 695 swap_halfs[2] = in[0]; 696 swap_halfs[3] = in[1]; 698 rotl[0] = in[3]; /* Rotate left 8 bits */ 699 rotl[1] = in[0]; 700 rotl[2] = in[1]; 701 rotl[3] = in[2]; 702 andf7[0] = in[0] & 0x7f; 703 andf7[1] = in[1] & 0x7f; 704 andf7[2] = in[2] & 0x7f; 705 andf7[3] = in[3] & 0x7f; 707 for (i = 3; i>0; i--) /* logical shift left 1 bit */ 708 { 709 andf7[i] = andf7[i] << 1; 710 if ((andf7[i-1] & 0x80) == 0x80) 711 { 712 andf7[i] = (andf7[i] | 0x01); 713 } 714 } 715 andf7[0] = andf7[0] << 1; 716 andf7[0] = andf7[0] & 0xfe; 718 xor_32(add1b, andf7, add1bf7); 720 xor_32(in, add1bf7, rotr); 722 temp[0] = rotr[0]; /* Rotate right 8 bits */ 723 rotr[0] = rotr[1]; 724 rotr[1] = rotr[2]; 725 rotr[2] = rotr[3]; 726 rotr[3] = temp[0]; 728 xor_32(add1bf7, rotr, temp); 729 xor_32(swap_halfs, rotl,tempb); 730 xor_32(temp, tempb, out); 731 } 733 void AES_128(unsigned char *key, unsigned char *data, unsigned char 734 *ciphertext) 735 { 736 int round; 737 int i; 738 unsigned char intermediatea[16]; 739 unsigned char intermediateb[16]; 740 unsigned char round_key[16]; 742 for(i=0; i<16; i++) round_key[i] = key[i]; 744 for (round = 0; round < 11; round++) 745 { 746 if (round == 0) 747 { 748 xor_128(round_key, data, ciphertext); 749 next_key(round_key, round); 750 } 752 else if (round == 10) 753 { 754 byte_sub(ciphertext, intermediatea); 755 shift_row(intermediatea, intermediateb); 756 xor_128(intermediateb, round_key, ciphertext); 757 } 758 else /* 1 - 9 */ 759 { 760 byte_sub(ciphertext, intermediatea); 761 shift_row(intermediatea, intermediateb); 762 mix_column(&intermediateb[0], &intermediatea[0]); 763 mix_column(&intermediateb[4], &intermediatea[4]); 764 mix_column(&intermediateb[8], &intermediatea[8]); 765 mix_column(&intermediateb[12], &intermediatea[12]); 766 xor_128(intermediatea, round_key, ciphertext); 767 next_key(round_key, round); 768 } 769 } 770 } 772 void print_hex(char *str, unsigned char *buf, int len) 773 { 774 int i; 776 for ( i=0; i=0; i-- ) { 810 output[i] = input[i] << 1; 811 output[i] |= overflow; 812 overflow = (input[i] & 0x80)?1:0; 813 } 814 return; 815 } 817 void generate_subkey(unsigned char *key, unsigned char *K1, unsigned 818 char *K2) 819 { 820 unsigned char L[16]; 821 unsigned char Z[16]; 822 unsigned char tmp[16]; 823 int i; 825 for ( i=0; i<16; i++ ) Z[i] = 0; 827 AES_128(key,Z,L); 829 if ( (L[0] & 0x80) == 0 ) { /* If MSB(L) = 0, then K1 = L << 1 */ 830 leftshift_onebit(L,K1); 831 } else { /* Else K1 = ( L << 1 ) (+) Rb */ 832 leftshift_onebit(L,tmp); 833 xor_128(tmp,const_Rb,K1); 834 } 836 if ( (K1[0] & 0x80) == 0 ) { 837 leftshift_onebit(K1,K2); 838 } else { 839 leftshift_onebit(K1,tmp); 840 xor_128(tmp,const_Rb,K2); 841 } 842 return; 843 } 844 void padding ( unsigned char *lastb, unsigned char *pad, int length ) 845 { 846 int j; 848 /* original last block */ 849 for ( j=0; j<16; j++ ) { 850 if ( j < length ) { 851 pad[j] = lastb[j]; 852 } else if ( j == length ) { 853 pad[j] = 0x80; 854 } else { 855 pad[j] = 0x00; 856 } 857 } 858 } 860 void AES_CMAC ( unsigned char *key, unsigned char *input, int length, 861 unsigned char *mac ) 862 { 863 unsigned char X[16],Y[16], M_last[16], padded[16]; 864 unsigned char K1[16], K2[16]; 865 int n, i, flag; 866 generate_subkey(key,K1,K2); 868 n = (length+15) / 16; /* n is number of rounds */ 870 if ( n == 0 ) { 871 n = 1; 872 flag = 0; 873 } else { 874 if ( (length%16) == 0 ) { /* last block is a complete block */ 875 flag = 1; 876 } else { /* last block is not complete block */ 877 flag = 0; 878 } 879 } 881 if ( flag ) { /* last block is complete block */ 882 xor_128(&input[16*(n-1)],K1,M_last); 883 } else { 884 padding(&input[16*(n-1)],padded,length%16); 885 xor_128(padded,K2,M_last); 886 } 888 for ( i=0; i<16; i++ ) X[i] = 0; 890 for ( i=0; i\n"); 944 AES_CMAC(key,M,0,T); 945 printf("AES_CMAC "); print128(T); printf("\n"); 946 AES_CMAC_96(key,M,0,TT); 947 printf("AES_CMAC_96 "); print96(TT); printf("\n"); 949 printf("\nExample 2: len = 16\n"); 950 printf("M "); print_hex(" ",M,16); 951 AES_CMAC(key,M,16,T); 952 printf("AES_CMAC "); print128(T); printf("\n"); 953 AES_CMAC_96(key,M,16,TT); 954 printf("AES_CMAC_96 "); print96(TT); printf("\n"); 956 printf("\nExample 3: len = 40\n"); 957 printf("M "); print_hex(" ",M,40); 958 AES_CMAC(key,M,40,T); 959 printf("AES_CMAC "); print128(T); printf("\n"); 960 AES_CMAC_96(key,M,40,TT); 961 printf("AES_CMAC_96 "); print96(TT); printf("\n"); 963 printf("\nExample 4: len = 64\n"); 964 printf("M "); print_hex(" ",M,64); 965 AES_CMAC(key,M,64,T); 966 printf("AES_CMAC "); print128(T); printf("\n"); 967 AES_CMAC_96(key,M,64,TT); 968 printf("AES_CMAC_96 "); print96(TT); printf("\n"); 970 printf("--------------------------------------------------\n"); 972 return 0; 973 } 975 Author's Address 977 Junhyuk Song 978 Samsung Electronics 979 +82-31-279-3639 980 santajunman@hanafos.com 982 Jicheol Lee 983 Samsung Electronics 984 +82-31-279-3605 985 jicheol.lee@samsung.com 987 Intellectual Property Statement 989 The IETF takes no position regarding the validity or scope of any 990 Intellectual Property Rights or other rights that might be claimed to 991 pertain to the implementation or use of the technology described in 992 this document or the extent to which any license under such rights 993 might or might not be available; nor does it represent that it has 994 made any independent effort to identify any such rights. Information 995 on the procedures with respect to rights in RFC documents can be 996 found in BCP 78 and BCP 79. 998 Copies of IPR disclosures made to the IETF Secretariat and any 999 assurances of licenses to be made available, or the result of an 1000 attempt made to obtain a general license or permission for the use of 1001 such proprietary rights by implementers or users of this 1002 specification can be obtained from the IETF on-line IPR repository at 1003 http://www.ietf.org/ipr. 1005 The IETF invites any interested party to bring to its attention any 1006 copyrights, patents or patent applications, or other proprietary 1007 rights that may cover technology that may be required to implement 1008 this standard. Please address the information to the IETF at 1009 ietf-ipr@ietf.org. 1011 Disclaimer of Validity 1013 This document and the information contained herein are provided on an 1014 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1015 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1016 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1017 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1018 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1019 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1021 Copyright Statement 1023 Copyright (C) The Internet Society (2005). This document is subject 1024 to the rights, licenses and restrictions contained in BCP 78, and 1025 except as set forth therein, the authors retain all their rights. 1027 Acknowledgment 1029 Funding for the RFC Editor function is currently provided by the 1030 Internet Society.