The OCB Authenticated-Encryption Algorithm
RFC 7253
Document | Type |
RFC - Informational
(May 2014; No errata)
Was draft-irtf-cfrg-ocb (cfrg RG)
|
|
---|---|---|---|
Authors | Ted Krovetz , Phillip Rogaway | ||
Last updated | 2014-05-29 | ||
Replaces | draft-krovetz-ocb | ||
Stream | IRTF | ||
Formats | plain text html pdf htmlized bibtex | ||
IETF conflict review | conflict-review-irtf-cfrg-ocb | ||
Stream | IRTF state | Published RFC | |
Consensus Boilerplate | Yes | ||
Document shepherd | David McGrew | ||
IESG | IESG state | RFC 7253 (Informational) | |
Telechat date | |||
Responsible AD | (None) | ||
Send notices to | (None) | ||
IANA | IANA review state | IANA OK - Actions Needed | |
IANA action state | RFC-Ed-Ack |
Internet Research Task Force (IRTF) T. Krovetz Request for Comments: 7253 Sacramento State Category: Informational P. Rogaway ISSN: 2070-1721 UC Davis May 2014 The OCB Authenticated-Encryption Algorithm Abstract This document specifies OCB, a shared-key blockcipher-based encryption scheme that provides confidentiality and authenticity for plaintexts and authenticity for associated data. This document is a product of the Crypto Forum Research Group (CFRG). Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Internet Research Task Force (IRTF). The IRTF publishes the results of Internet-related research and development activities. These results might not be suitable for deployment. This RFC represents the consensus of the Crypto Forum Research Group of the Internet Research Task Force (IRTF). Documents approved for publication by the IRSG are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7253. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Krovetz & Rogaway Informational [Page 1] RFC 7253 OCB Authenticated Encryption May 2014 Table of Contents 1. Introduction ....................................................2 2. Notation and Basic Operations ...................................4 3. OCB Global Parameters ...........................................5 3.1. Named OCB Parameter Sets and RFC 5116 Constants ............6 4. OCB Algorithms ..................................................6 4.1. Processing Associated Data: HASH ...........................6 4.2. Encryption: OCB-ENCRYPT ....................................8 4.3. Decryption: OCB-DECRYPT ....................................9 5. Security Considerations ........................................11 5.1. Nonce Requirements ........................................12 6. IANA Considerations ............................................13 7. Acknowledgements ...............................................13 8. References .....................................................14 8.1. Normative References ......................................14 8.2. Informative References ....................................14 Appendix A. Sample Results .......................................15 1. Introduction Schemes for authenticated encryption (AE) simultaneously provide for confidentiality and authentication. While this goal would traditionally be achieved by melding separate encryption and authentication mechanisms, each using its own key, integrated AE schemes intertwine what is needed for confidentiality and what is needed for authenticity. By conceptualizing AE as a single cryptographic goal, AE schemes are less likely to be misused than conventional encryption schemes. Also, integrated AE schemes can be significantly faster than what one sees from composing separate confidentiality and authenticity means. When an AE scheme allows for the authentication of unencrypted data at the same time that a plaintext is being encrypted and authenticated, the scheme is an authenticated encryption with associated data (AEAD) scheme. Associated data can be useful when, for example, a network packet has unencrypted routing information and an encrypted payload. OCB is an AEAD scheme that depends on a blockcipher. This document fully defines OCB encryption and decryption except for the choice of the blockcipher and the length of authentication tag that is part of the ciphertext. The blockcipher must have a 128-bit blocksize. Each choice of blockcipher and tag length specifies a different variant of OCB. Several AES-based variants are defined in Section 3.1. Krovetz & Rogaway Informational [Page 2] RFC 7253 OCB Authenticated Encryption May 2014 OCB encryption and decryption employ a nonce N, which must be distinct for each invocation of the OCB encryption operation. OCBShow full document text