The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH
RFC 4543
Document | Type |
RFC - Proposed Standard
(May 2006; Errata)
Was draft-mcgrew-aes-gmac-esp (individual in sec area)
|
|
---|---|---|---|
Authors | John Viega , David McGrew | ||
Last updated | 2020-01-21 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized with errata bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 4543 (Proposed Standard) | |
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Russ Housley | ||
Send notices to | john@viega.org |
Network Working Group D. McGrew Request for Comments: 4543 Cisco Systems, Inc. Category: Standards Track J. Viega McAfee, Inc. May 2006 The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2006). Abstract This memo describes the use of the Advanced Encryption Standard (AES) Galois Message Authentication Code (GMAC) as a mechanism to provide data origin authentication, but not confidentiality, within the IPsec Encapsulating Security Payload (ESP) and Authentication Header (AH). GMAC is based on the Galois/Counter Mode (GCM) of operation, and can be efficiently implemented in hardware for speeds of 10 gigabits per second and above, and is also well-suited to software implementations. McGrew & Viega Standards Track [Page 1] RFC 4543 GMAC in IPsec ESP and AH May 2006 Table of Contents 1. Introduction ....................................................2 1.1. Conventions Used in This Document ..........................3 2. AES-GMAC ........................................................3 3. The Use of AES-GMAC in ESP ......................................3 3.1. Initialization Vector ......................................4 3.2. Nonce Format ...............................................4 3.3. AAD Construction ...........................................5 3.4. Integrity Check Value (ICV) ................................6 3.5. Differences with AES-GCM-ESP ...............................6 3.6. Packet Expansion ...........................................7 4. The Use of AES-GMAC in AH .......................................7 5. IKE Conventions .................................................8 5.1. Phase 1 Identifier .........................................8 5.2. Phase 2 Identifier .........................................8 5.3. Key Length Attribute .......................................9 5.4. Keying Material and Salt Values ............................9 6. Test Vectors ....................................................9 7. Security Considerations ........................................10 8. Design Rationale ...............................................11 9. IANA Considerations ............................................11 10. Acknowledgements ..............................................11 11. References ....................................................12 11.1. Normative References .....................................12 11.2. Informative References ...................................12 1. Introduction This document describes the use of AES-GMAC mode (AES-GMAC) as a mechanism for data origin authentication in ESP [RFC4303] and AH [RFC4302]. We refer to these methods as ENCR_NULL_AUTH_AES_GMAC and AUTH_AES_GMAC, respectively. ENCR_NULL_AUTH_AES_GMAC is a companion to the AES Galois/Counter Mode ESP [RFC4106], which provides authentication as well as confidentiality. ENCR_NULL_AUTH_AES_GMAC is intended for cases in which confidentiality is not desired. Like GCM, GMAC is efficient and secure, and is amenable to high-speed implementations in hardware. ENCR_NULL_AUTH_AES_GMAC and AUTH_AES_GMAC are designed so that the incremental cost of implementation, given an implementation is AES-GCM-ESP, is small. This document does not cover implementation details of GCM or GMAC. Those details can be found in [GCM], along with test vectors. McGrew & Viega Standards Track [Page 2] RFC 4543 GMAC in IPsec ESP and AH May 2006 1.1. Conventions Used in This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2. AES-GMAC GMAC is a block cipher mode of operation providing data origin authentication. It is defined in terms of the GCM authenticated encryption operation as follows. The GCM authenticated encryption operation has four inputs: a secret key, an initialization vector (IV), a plaintext, and an input for additional authenticated dataShow full document text