JunHyuk Song
Radha Poovendran
University of Washington
Jicheol Lee
Samsung Electronics
Tetsu Iwata
INTERNET DRAFT Ibaraki University
Expires: August 2, 2006 February 3 2006
The AES-CMAC-PRF-128 Algorithm for
the Internet Key Exchange Protocol (IKE)
draft-songlee-aes-cmac-prf-128-03.txt
Status of This Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
Some implementations of IP Security (IPsec) may want to use a
pseudo-random function derived from the Advanced Encryption Standard
(AES). This memo describes such an algorithm, called AES-CMAC-
PRF-128.
Song et al. Expires Auguest 2006 [Page 1]
Internet Draft February 2006
1. Introduction
[AES-CMAC] describes a method to use the Advanced Encryption
Standard (AES) as a message authentication code (MAC) whose output
is 128 bits long. 128 bits output is useful as a long-lived pseudo-
random function (PRF) in either IKE version 1 or version 2. This
document specifies PRF that support fixed and variable key sizes for
IKEv2 [IKEv2] Key Derivation Function (KDF) and authentication.
2. Basic definitions
VK Variable length key for AES-CMAC-PRF-128, Denoted
by VK.
0^n The string that consists of n zero-bits.
0^3 means that 000 in binary format.
10^4 means that 10000 in binary format.
10^i means that 1 followed by i-times repeated
zero's.
AES-CMAC AES-CMAC algorithm with 128 bits long key described
in section 2.4 of [AES-CMAC].
3. The AES-CMAC-PRF-128 Algorithm
The AES-CMAC-PRF-128 algorithm is identical to AES-CMAC defined
in [AES-CMAC] except that the 128 bits key length restriction is
removed.
IKEv2 [IKEv2] uses PRFs for multiple purposes, most notably for
generating keying material and authentication of the the IKE_SA.
The IKEv2 specification differentiates between PRFs with fixed key
sizes and those with variable key sizes
When using the PRF described in this document with IKEv2, the PRF is
considered to be fixed-length for generating keying material but
variable-length for authentication.
Song et al. Expires Auguest 2006 [Page 2]
Internet Draft February 2006
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ AES-CMAC-PRF-128 +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ +
+ Input : VK ( Variable length key ) +
+ : M ( Message to be authenticated ) +
+ : VKlen ( length of VK ) +
+ : len ( length of message in octets ) +
+ Output : PRV ( 128 bits Pseudo Random Variable ) +
+ +
+-------------------------------------------------------------------+
+ Variables: K ( 128-bits fixed key ) +
+ +
+ Step 1. +
+ If VKlen is equal to 16 octets then +
+ Step 1a. K := VK; +
+ Else +
+ Step 1b. K := AES-CMAC (0^128, VK, VKlen); +
+ +
+ Step 2. +
+ PRV := AES-CMAC (K,M,len); +
+ return PRV; +
+ +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Figure 1. AES-CMAC-PRF-128 Algorithm
In step 1, the key for AES-CMAC-PRF-128 is created as follows:
o If the key is exactly 128 bits long, use it as-is.
o If the key is longer or shorter than 128 bits long, then we derive
new key K by performing AES-CMAC algorithm using 128 bits all
zero key and VK as the message. This step is described in step 1b.
In step 2, we perform AES-CMAC algorithm using K as the key and
M as the message. The output of this algorithm is returned.
Song et al. Expires Auguest 2006 [Page 3]
Internet Draft February 2006
5. Test Vectors
------------------------------------------------------------
Test Case AES-CMAC-PRF-128 with 20-octet input
Key : 00010203 04050607 08090a0b 0c0d0e0f edcb
Key Length : 18
Message : 00010203 04050607 08090a0b 0c0d0e0f 10111213
PRF Output : 84a348a4 a45d235b abfffc0d 2b4da09a
Test Case AES-CMAC-PRF-128 with 20-octet input
Key : 00010203 04050607 08090a0b 0c0d0e0f
Key Length : 16
Message : 00010203 04050607 08090a0b 0c0d0e0f 10111213
PRF Output : 980ae87b 5f4c9c52 14f5b6a8 455e4c2d
Test Case AES-CMAC-PRF-128 with 20-octet input
Key : 00010203 04050607 0809
Key Length : 10
Message : 00010203 04050607 08090a0b 0c0d0e0f 10111213
PRF Output : 290d9e11 2edb09ee 141fcf64 c0b72f3d
------------------------------------------------------------
6. Security Considerations
The security provided by AES-CMAC-PRF-128 is based upon the strength
of AES and AES-CMAC. At the time of this writing, there are no known
practical cryptographic attacks against AES or AES-CMAC.
However as is true with any cryptographic algorithm, part of its
strength lies in the secret key, 'K' and the correctness of the
implementation in all of the participating systems.
Keys need to be chosen at random based on RFC 4086 [RFC4086]
and should be kept in safe and periodically refreshed.
Whenever keys larger than 128 bits are reduced to meet AES-128 key
input size, some entropy might be lost. However, if using collision-
resistant hash function such as AES-CMAC when generating new key for
pseudo-random function, it preserves sufficient entropy as long as
the pseudo-random function to be used requires 128 bits long input key.
7. IANA Consideration
IANA should allocate a value for IKEv2 Transform Type 2
(Pseudo-Random Function) to the PRF_AES128_CMAC algorithm when this
document is published.
Song et al. Expires Auguest 2006 [Page 4]
Internet Draft February 2006
8. Acknowledgement
Portions of this text were borrowed from [AES-XCBC-PRF] and
[AES-XCBC-PRF_bis], and many thanks to Russ Housley and
Paul Hoffman for suggestions and guidance.
9. Reference
9.1 Normative References
[AES-CMAC] JunHyuk Song, Jicheol Lee, Radha Poovendran and
Tetsu Iwata, "The AES-CMAC Algorithm,"
draft-songlee-aes-cmac-03.txt, (work in progress)
December 2005.
[IKEv2] Kaufman, C., Ed., "Internet Key Exchange (IKEv2)
Protocol", draft-ietf-ipsec-ikev2-17
(work in progress), September 2004.
[RFC4086] Eastlake 3rd, D., Crocker, S., and J. Schiller,
"Randomness Requirements for Security", RFC 4086
June 2005
9.2. Informative References
[AH] Kent, S. and R. Atkinson, "Security Architecture
for the Internet Protocol", RFC 2401, November
1998.
[ROADMAP] Thayer, R., Doraswamy, N. and R. Glenn, "IP
Security Document Roadmap", RFC 2411, November
1998.
[AES-XCBC-PRF] P. Hoffman, "The AES-XCBC-PRF-128 Algorithm for
the Internet Key Exchange Protocol (IKE),"
RFC3664, Jan 2004.
[AES-XCBC-PRF-bis] P. Hoffman, "The AES-XCBC-PRF-128 Algorithm for
the Internet Key Exchange Protocol (IKE),"
draft-hoffman-rfc3664bis-05.txt
(work in progress), October 2005.
Song et al. Expires Auguest 2006 [Page 5]
Internet Draft February 2006
Author's Address
Junhyuk Song
Samsung Electronics
University of Washington
(206) 853-5843
songlee@u.washington.edu
junhyuk.song@samsung.com
Jicheol Lee
Samsung Electronics
+82-31-279-3605
jicheol.lee@samsung.com
Radha Poovendran
Network Security Lab
University of Washington
(206) 221-6512
radha@ee.washington.edu
Tetsu Iwata
Ibaraki University
iwata@cis.ibaraki.ac.jp
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Song et al. Expires Auguest 2006 [Page 6]
Internet Draft February 2006
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Song et al. Expires Auguest 2006 [Page 7]
