| OLD | NEW |
|---|
| (Empty) | |
| 1 |
| 2 |
| 3 |
| 4 |
| 5 |
| 6 |
| 7 |
| 8 |
| 9 Crypto Forum Research Group David A. McGrew |
| 10 Internet Draft Cisco Systems, Inc. |
| 11 Expires April, 2003 October, 2002 |
| 12 |
| 13 |
| 14 |
| 15 Integer Counter Mode |
| 16 <draft-irtf-cfrg-icm-00.txt> |
| 17 |
| 18 |
| 19 Status of this Memo |
| 20 |
| 21 This document is an Internet Draft and is in full conformance with |
| 22 all provisions of Section 10 of RFC-2026. Internet Drafts are working |
| 23 documents of the Internet Engineering Task Force (IETF), its areas, |
| 24 and working groups. Note that other groups may also distribute |
| 25 working documents as Internet Drafts. |
| 26 |
| 27 Internet Drafts are draft documents valid for a maximum of six months |
| 28 and may be updated, replaced, or obsoleted by other documents at any |
| 29 time. It is inappropriate to use Internet Drafts as reference |
| 30 material or to cite them other than as "work in progress." |
| 31 |
| 32 The list of current Internet-Drafts can be accessed at |
| 33 http://www.ietf.org/ietf/1id-abstracts.txt |
| 34 |
| 35 The list of Internet-Draft Shadow Directories can be accessed at |
| 36 http://www.ietf.org/shadow.html. |
| 37 |
| 38 |
| 39 1. Abstract |
| 40 |
| 41 |
| 42 This document specifies Integer Counter Mode (ICM), a mode of |
| 43 operation of a block cipher which defines an indexed keystream |
| 44 generator (which generates a keystream segment given an index). |
| 45 This mode is efficient, parallelizable, and has been proven secure |
| 46 given realistic assumptions about the block cipher. Test vectors |
| 47 are provided for AES. |
| 48 |
| 49 Counter Mode admits many variations. The variant specified in |
| 50 this document is secure and flexible, yet it enables a single |
| 51 implementation of a keystream generator to suffice in different |
| 52 application domains. |
| 53 |
| 54 |
| 55 |
| 56 |
| 57 |
| 58 |
| 59 McGrew [Page 1] |
| 60 |
| 61 |
| 62 Internet Draft Integer Counter Mode October, 2002 |
| 63 |
| 64 |
| 65 2. Notational Conventions |
| 66 |
| 67 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", |
| 68 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in |
| 69 this document are to be interpreted as described in RFC-2119 [B97]. |
| 70 |
| 71 |
| 72 3. Introduction |
| 73 |
| 74 Counter Mode is a way to define a pseudorandom keystream generator |
| 75 using a block cipher [CTR]. The keystream can be used for additive |
| 76 encryption, key derivation, or any other application requiring |
| 77 pseudorandom data. |
| 78 |
| 79 In ICM, the keystream is logically broken into segments. Each |
| 80 segment is identified with a segment index, and the segments have |
| 81 equal lengths. This segmentation makes ICM especially appropriate |
| 82 for securing packet-based protocols. |
| 83 |
| 84 |
| 85 4. ICM |
| 86 |
| 87 In this section, ICM keystream generation and encryption are |
| 88 defined. |
| 89 |
| 90 |
| 91 4.1. ICM Parameters |
| 92 |
| 93 The following parameters are used in ICM. These parameters MUST |
| 94 remain fixed for any given use of a key. |
| 95 |
| 96 Parameter Meaning |
| 97 ----------------------------------------------------------------- |
| 98 BLOCK_LENGTH the number of octets in the cipher block |
| 99 KEY_LENGTH the number of octets in the cipher key |
| 100 OFFSET_LENGTH the number of octets in the offset |
| 101 SEGMENT_INDEX_LENGTH the number of octets in the segment index |
| 102 BLOCK_INDEX_LENGTH the number of octets in the block index |
| 103 |
| 104 |
| 105 4.2. Keystream Segments |
| 106 |
| 107 Conceptually, ICM is a keystream generator that takes a secret key |
| 108 and a segment index as an input and then outputs a keystream |
| 109 segment. The segmentation lends itself to packet encryption, as |
| 110 each keystream segment can be used to encrypt a distinct packet. |
| 111 |
| 112 A counter is a value containing BLOCK_LENGTH octets which is |
| 113 |
| 114 |
| 115 |
| 116 McGrew [Page 2] |
| 117 |
| 118 |
| 119 Internet Draft Integer Counter Mode October, 2002 |
| 120 |
| 121 |
| 122 incremented using an increment function based on integer addition, |
| 123 to produce a sequence of distinct values which are used as inputs to |
| 124 the block cipher. (In the context of this specification, an integer |
| 125 is an octet string, the most significant of which is the first.) |
| 126 The output blocks of the cipher are concatenated to form the |
| 127 keystream segment. The first octet of the segment is the first |
| 128 octet of the first output block, and so on. A schematic of this |
| 129 process is shown in Figure 1. |
| 130 |
| 131 |
| 132 Figure 1. The generation of a keystream segment given a segment |
| 133 index and a block cipher key K. Here C[i] and S[i] denote the ith |
| 134 counter and keystream block, respectively. |
| 135 |
| 136 segment |
| 137 index |
| 138 | |
| 139 v |
| 140 C[0] -----> C[1] -----> C[2] -----> ... |
| 141 | | | |
| 142 v v v |
| 143 +---+ +---+ +---+ |
| 144 K->| E | K->| E | K->| E | ... |
| 145 +---+ +---+ +---+ |
| 146 | | | |
| 147 v v v |
| 148 S[0] S[1] S[2] ... |
| 149 |
| 150 The ith counter C[i] of the keystream segment with segment index s |
| 151 is defined as |
| 152 |
| 153 C[i] = (i + s * (256^BLOCK_INDEX_LENGTH)) (+) r |
| 154 |
| 155 where r denotes the shifted Offset, which is defined as the Offset |
| 156 times 256^(BLOCK_LENGTH - OFFSET_LENGTH). (This multiplication |
| 157 left-shifts the Offset so that it is aligned with the leftmost |
| 158 edge of the block.) Here ^ denotes exponentiation and (+) denotes |
| 159 the bitwise exclusive-or operation. |
| 160 |
| 161 The number of blocks in any segment MUST NOT exceed |
| 162 256^BLOCK_INDEX_LENGTH. The number of segments MUST NOT exceed |
| 163 256^SEGMENT_INDEX_LENGTH. These restrictions ensure the uniqueness |
| 164 of each block cipher input. They also imply that each segment |
| 165 contains no more than (256^BLOCK_INDEX_LENGTH)*BLOCK_LENGTH octets. |
| 166 |
| 167 The sum of SEGMENT_INDEX_LENGTH and BLOCK_INDEX_LENGTH MUST NOT |
| 168 exceed BLOCK_LENGTH / 2. This requirement protects the ICM |
| 169 keystream generator from potentially failing to be pseudorandom (see |
| 170 |
| 171 |
| 172 |
| 173 McGrew [Page 3] |
| 174 |
| 175 |
| 176 Internet Draft Integer Counter Mode October, 2002 |
| 177 |
| 178 |
| 179 the rationale). |
| 180 |
| 181 Figure 2. An illustration of the structure of a counter with |
| 182 BLOCK_LENGTH = 8, SEGMENT_INDEX_LENGTH = 2, and BLOCK_INDEX_LENGTH |
| 183 = 2. The field marked `null' is not part of either the block |
| 184 or segment indices. |
| 185 |
| 186 0 1 2 3 |
| 187 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 |
| 188 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| 189 | null | |
| 190 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| 191 | segment index | block index | |
| 192 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| 193 |
| 194 |
| 195 4.3. ICM Encryption |
| 196 |
| 197 Unless otherwise specified, ICM encryption consists of bitwise |
| 198 exclusive-oring the keystream into the plaintext to produce |
| 199 the ciphertext. |
| 200 |
| 201 |
| 202 4.4 ICM KEY |
| 203 |
| 204 An ICM key consists of the block cipher key and an Offset. The |
| 205 Offset is an integer with OFFSET_LENGTH octets, which is used to |
| 206 `randomize' the logical starting point of keystream. The Offset is |
| 207 crucial to providing security; see the rationale. The value of |
| 208 OFFSET_LENGTH SHOULD be at least half that of BLOCK_LENGTH. |
| 209 |
| 210 For the purposes of transporting an ICM key, e.g. in a signaling |
| 211 protocol, that key SHOULD be considered a sequence of octets in |
| 212 which the block cipher key precedes the Offset. |
| 213 |
| 214 |
| 215 5. Implementation Considerations |
| 216 |
| 217 Implementation of the `add one modulo 2^m' operation is simple. For |
| 218 example, with BLOCK_LENGTH = 8 (m=64), it can be implemented in C as |
| 219 |
| 220 if (!++x) ++y; |
| 221 |
| 222 where x and y are 32-bit unsigned integers in network byte order. |
| 223 The implementation of general purpose addition modulo 2^m is |
| 224 slightly more complicated. |
| 225 |
| 226 The fact that the Offset is left-aligned enables an implementation |
| 227 |
| 228 |
| 229 |
| 230 McGrew [Page 4] |
| 231 |
| 232 |
| 233 Internet Draft Integer Counter Mode October, 2002 |
| 234 |
| 235 |
| 236 to avoid propagating carry values outside of the block index and/or |
| 237 the segment index. Choosing an OFFSET_LENGTH value equal to half |
| 238 that of BLOCK_LENGTH avoids all of these carries, since the Offset |
| 239 is then shifted so that it occupies the most significant octets of |
| 240 the block, while the block and segment indices occupy the least |
| 241 significant ones. |
| 242 |
| 243 |
| 244 6. Parameters and Test Vectors for AES |
| 245 |
| 246 This section provides ICM parameters and test vectors for AES |
| 247 with a 128 bit block size and 128 bit key (that is, with a |
| 248 BLOCK_LENGTH and KEY_LENGTH of 16). |
| 249 |
| 250 All integers are expressed in hexadecimal. Each consecutive pair of |
| 251 hex digits corresponds to an octet, so that the integer |
| 252 000102030405060708090A0B0C0D0E0F corresponds to the octet sequence |
| 253 { 00, 01, 02, 02 ... }. |
| 254 |
| 255 BLOCK_LENGTH 16 |
| 256 KEY_LENGTH 16 |
| 257 OFFSET_LENGTH 14 |
| 258 SEGMENT_INDEX_LENGTH 6 |
| 259 BLOCK_INDEX_LENGTH 2 |
| 260 |
| 261 Block Cipher Key: 2b7e151628aed2a6abf7158809cf4f3c |
| 262 Offset: f0f1f2f3f4f5f6f7f8f9fafbfcfd |
| 263 Segment Index: 000000000000 |
| 264 Keystream: e03ead0935c95e80e166b16dd92b4eb4 |
| 265 d23513162b02d0f72a43a2fe4a5f97ab |
| 266 ... |
| 267 |
| 268 The counter values that correspond to the keystream blocks are |
| 269 outlined below. |
| 270 |
| 271 Counter Keystream |
| 272 |
| 273 f0f1f2f3f4f5f6f7f8f9fafbfcfd0000 e03ead0935c95e80e166b16dd92b4eb4 |
| 274 f0f1f2f3f4f5f6f7f8f9fafbfcfd0001 d23513162b02d0f72a43a2fe4a5f97ab |
| 275 f0f1f2f3f4f5f6f7f8f9fafbfcfd0002 41e95b3bb0a2e8dd477901e4fca894c0 |
| 276 ... ... |
| 277 |
| 278 |
| 279 7. Security Considerations |
| 280 |
| 281 Each block cipher input is distinct for any segment and any block |
| 282 index. To see this fact, subtract any two counter values with |
| 283 distinct segment or block indices; the result is non-zero. |
| 284 |
| 285 |
| 286 |
| 287 McGrew [Page 5] |
| 288 |
| 289 |
| 290 Internet Draft Integer Counter Mode October, 2002 |
| 291 |
| 292 |
| 293 The limitation on the number of segments which can be generated |
| 294 ensures that the probability with which an adversary can distinguish |
| 295 the keystream generator from random is negligible. For a |
| 296 theoretical justification of this fact, see Bellare et. al. [BR98]. |
| 297 Their analysis shows that if the block cipher cannot be |
| 298 distinguished from a random permutation, then the keystream |
| 299 generated by ICM cannot be distinguished from keystream generated by |
| 300 a truly random process, as long as the length of keystream which is |
| 301 generated is kept below some threshold. The threshold defined in |
| 302 Section 4.2 is sufficient for most uses of ICM for encryption. This |
| 303 specification refrains from dictating a lower threshold in order to |
| 304 refrain from dictating a particular policy, and to avoid a |
| 305 complicated digression. |
| 306 |
| 307 The use of the Offset, a key-dependent value which randomizes the |
| 308 starting position of the keystream, is essential for security. The |
| 309 omission of this mechanism leaves the door open for practical |
| 310 attacks, such as the key collision attack and Hellman's time-memory |
| 311 tradeoff attack; see McGrew and Fluhrer [MF00] for a description of |
| 312 these attacks which is applicable to ICM. Several counter mode |
| 313 proposals do not include an offset, and are thus vulnerable to these |
| 314 attacks. |
| 315 |
| 316 |
| 317 8. Rationale |
| 318 |
| 319 This speficiation includes input from implementation experience with |
| 320 several counter mode variants. The goals of ICM are to provide: |
| 321 |
| 322 o a secure keystream generator and cipher, and |
| 323 |
| 324 o a definition flexible enough that a single implementation can be |
| 325 used for a variety of applications (e.g., Secure RTP [SRTP], |
| 326 IPsec ESP [KA96]). |
| 327 |
| 328 The Offset slightly increases the key management overhead, but this |
| 329 minor disadvantage is well outweighed by other savings. The Offset |
| 330 is no larger than a CBC mode IV, and ICM enables the use of an |
| 331 explicit IV (as is commonly used with CBC [MD98]) to be avoided. |
| 332 |
| 333 |
| 334 9. History |
| 335 |
| 336 This draft is based on draft-mcgrew-saag-icm-00.txt, which was |
| 337 submitted to SAAG on November, 2001 and which expired in May, 2002. |
| 338 |
| 339 The current definition of ICM has changed from the earlier one; the |
| 340 counter formation is different and the specifications are |
| 341 |
| 342 |
| 343 |
| 344 McGrew [Page 6] |
| 345 |
| 346 |
| 347 Internet Draft Integer Counter Mode October, 2002 |
| 348 |
| 349 |
| 350 unfortunately not interoperable. This change was motivated by a |
| 351 considerable amount of feedback on the desirability of admitting |
| 352 optimizations of the sort described in Section 5, in which the carry |
| 353 operations of counter addition need not be propagated across a large |
| 354 register. |
| 355 |
| 356 The current definition of ICM is interoperable with that defined in |
| 357 Secure RTP [SRTP]. |
| 358 |
| 359 |
| 360 10. Acknowledgements |
| 361 |
| 362 Thanks are due to Helger Lipmaa, Jerome Etienne, Scott Fluhrer and |
| 363 Mats Naslund for their helpful discussion and comments. |
| 364 |
| 365 |
| 366 11. Contact Information |
| 367 |
| 368 Questions and comments on this draft SHOULD be sent to: |
| 369 |
| 370 David A. McGrew |
| 371 Cisco Systems, Inc. |
| 372 mcgrew@cisco.com |
| 373 |
| 374 and copied to the Crypto Forum Research Group at: |
| 375 |
| 376 cfrg@ietf.org. |
| 377 |
| 378 |
| 379 12. References |
| 380 |
| 381 |
| 382 [BR98] M. Bellare, A. Desai, E. Lokipii and P. Rogaway, A |
| 383 Concrete Security Treatment of Symmetric Encryption: |
| 384 Analysis of DES Modes of Operation, Proceedings of |
| 385 the 38th Symposium on Foundations of Computer |
| 386 Science, IEEE, 1997. |
| 387 |
| 388 [B97] S. Bradner, Key words for use in RFCs to Indicate |
| 389 Requirement Levels, RFC 2119, March 1997. |
| 390 |
| 391 [AES] The Advanced Encryption Standard, United States |
| 392 National Institute for Standards and Technology (NIST), |
| 393 http://www.nist.gov/aes/. |
| 394 |
| 395 [CTR] M. Dworkin, NIST Special Publication 800-38A, |
| 396 "Recommendation for Block Cipher Modes of Operation: Methods |
| 397 and Techniques", 2001. Online at |
| 398 |
| 399 |
| 400 |
| 401 McGrew [Page 7] |
| 402 |
| 403 |
| 404 Internet Draft Integer Counter Mode October, 2002 |
| 405 |
| 406 |
| 407 http://csrc.nist.gov/publications/nistpubs/800-38a/sp800- |
| 408 38a.pdf. |
| 409 |
| 410 [MD98] Madson, C., and Doraswamy, N., "The ESP DES-CBC Cipher |
| 411 Algorithm With Explicit IV", RFC 2405, November 1998. |
| 412 |
| 413 [MF00] D. McGrew and S. Fluhrer, Attacks on Additive Encryption and |
| 414 Implications on Internet Security, Selected Areas in |
| 415 Cryptography 2000. |
| 416 |
| 417 [SRTP] The Secure Real-time Transport Protocol, Baugher et. al., |
| 418 Internet Draft, draft-ietf-avt-srtp-05.txt. |
| 419 |
| 420 |
| 421 |
| 422 |
| 423 |
| 424 |
| 425 |
| 426 |
| 427 |
| 428 |
| 429 |
| 430 |
| 431 |
| 432 |
| 433 |
| 434 |
| 435 |
| 436 |
| 437 |
| 438 |
| 439 |
| 440 |
| 441 |
| 442 |
| 443 |
| 444 |
| 445 |
| 446 |
| 447 |
| 448 |
| 449 |
| 450 |
| 451 |
| 452 |
| 453 |
| 454 |
| 455 |
| 456 |
| 457 |
| 458 McGrew [Page 8] |
| 459 |
| 460 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 3423016:
Add current version of libSRTP from CVS. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/deps/third_party/