The OCB Authenticated-Encryption Algorithm
RFC 7253
| Document | Type |
RFC - Informational
(May 2014; No errata)
Was draft-irtf-cfrg-ocb (cfrg RG)
|
|
|---|---|---|---|
| Last updated | 2014-05-29 | ||
| Replaces | draft-krovetz-ocb | ||
| Stream | IRTF | ||
| Formats | plain text pdf htmlized bibtex | ||
| IETF conflict review | conflict-review-irtf-cfrg-ocb | ||
| Stream | IRTF state | Published RFC | |
| Consensus Boilerplate | Yes | ||
| Document shepherd | David McGrew | ||
| IESG | IESG state | RFC 7253 (Informational) | |
| Telechat date | |||
| Responsible AD | (None) | ||
| Send notices to | (None) | ||
| IANA | IANA review state | IANA OK - Actions Needed | |
| IANA action state | RFC-Ed-Ack | ||
Internet Research Task Force (IRTF) T. Krovetz
Request for Comments: 7253 Sacramento State
Category: Informational P. Rogaway
ISSN: 2070-1721 UC Davis
May 2014
The OCB Authenticated-Encryption Algorithm
Abstract
This document specifies OCB, a shared-key blockcipher-based
encryption scheme that provides confidentiality and authenticity for
plaintexts and authenticity for associated data. This document is a
product of the Crypto Forum Research Group (CFRG).
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Research Task Force
(IRTF). The IRTF publishes the results of Internet-related research
and development activities. These results might not be suitable for
deployment. This RFC represents the consensus of the Crypto Forum
Research Group of the Internet Research Task Force (IRTF). Documents
approved for publication by the IRSG are not a candidate for any
level of Internet Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7253.
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Krovetz & Rogaway Informational [Page 1]
RFC 7253 OCB Authenticated Encryption May 2014
Table of Contents
1. Introduction ....................................................2
2. Notation and Basic Operations ...................................4
3. OCB Global Parameters ...........................................5
3.1. Named OCB Parameter Sets and RFC 5116 Constants ............6
4. OCB Algorithms ..................................................6
4.1. Processing Associated Data: HASH ...........................6
4.2. Encryption: OCB-ENCRYPT ....................................8
4.3. Decryption: OCB-DECRYPT ....................................9
5. Security Considerations ........................................11
5.1. Nonce Requirements ........................................12
6. IANA Considerations ............................................13
7. Acknowledgements ...............................................13
8. References .....................................................14
8.1. Normative References ......................................14
8.2. Informative References ....................................14
Appendix A. Sample Results .......................................15
1. Introduction
Schemes for authenticated encryption (AE) simultaneously provide for
confidentiality and authentication. While this goal would
traditionally be achieved by melding separate encryption and
authentication mechanisms, each using its own key, integrated AE
schemes intertwine what is needed for confidentiality and what is
needed for authenticity. By conceptualizing AE as a single
cryptographic goal, AE schemes are less likely to be misused than
conventional encryption schemes. Also, integrated AE schemes can be
significantly faster than what one sees from composing separate
confidentiality and authenticity means.
When an AE scheme allows for the authentication of unencrypted data
at the same time that a plaintext is being encrypted and
authenticated, the scheme is an authenticated encryption with
associated data (AEAD) scheme. Associated data can be useful when,
for example, a network packet has unencrypted routing information and
an encrypted payload.
OCB is an AEAD scheme that depends on a blockcipher. This document
fully defines OCB encryption and decryption except for the choice of
the blockcipher and the length of authentication tag that is part of
the ciphertext. The blockcipher must have a 128-bit blocksize. Each
choice of blockcipher and tag length specifies a different variant of
OCB. Several AES-based variants are defined in Section 3.1.
Krovetz & Rogaway Informational [Page 2]
RFC 7253 OCB Authenticated Encryption May 2014
OCB encryption and decryption employ a nonce N, which must be
distinct for each invocation of the OCB encryption operation. OCB
Show full document text