| OLD | NEW |
|---|
| (Empty) |
| 1 | |
| 2 | |
| 3 | |
| 4 | |
| 5 | |
| 6 | |
| 7 | |
| 8 | |
| 9 Crypto Forum Research Group David A. McGrew | |
| 10 Internet Draft Cisco Systems, Inc. | |
| 11 Expires April, 2003 October, 2002 | |
| 12 | |
| 13 | |
| 14 | |
| 15 Integer Counter Mode | |
| 16 <draft-irtf-cfrg-icm-00.txt> | |
| 17 | |
| 18 | |
| 19 Status of this Memo | |
| 20 | |
| 21 This document is an Internet Draft and is in full conformance with | |
| 22 all provisions of Section 10 of RFC-2026. Internet Drafts are working | |
| 23 documents of the Internet Engineering Task Force (IETF), its areas, | |
| 24 and working groups. Note that other groups may also distribute | |
| 25 working documents as Internet Drafts. | |
| 26 | |
| 27 Internet Drafts are draft documents valid for a maximum of six months | |
| 28 and may be updated, replaced, or obsoleted by other documents at any | |
| 29 time. It is inappropriate to use Internet Drafts as reference | |
| 30 material or to cite them other than as "work in progress." | |
| 31 | |
| 32 The list of current Internet-Drafts can be accessed at | |
| 33 http://www.ietf.org/ietf/1id-abstracts.txt | |
| 34 | |
| 35 The list of Internet-Draft Shadow Directories can be accessed at | |
| 36 http://www.ietf.org/shadow.html. | |
| 37 | |
| 38 | |
| 39 1. Abstract | |
| 40 | |
| 41 | |
| 42 This document specifies Integer Counter Mode (ICM), a mode of | |
| 43 operation of a block cipher which defines an indexed keystream | |
| 44 generator (which generates a keystream segment given an index). | |
| 45 This mode is efficient, parallelizable, and has been proven secure | |
| 46 given realistic assumptions about the block cipher. Test vectors | |
| 47 are provided for AES. | |
| 48 | |
| 49 Counter Mode admits many variations. The variant specified in | |
| 50 this document is secure and flexible, yet it enables a single | |
| 51 implementation of a keystream generator to suffice in different | |
| 52 application domains. | |
| 53 | |
| 54 | |
| 55 | |
| 56 | |
| 57 | |
| 58 | |
| 59 McGrew [Page 1] | |
| 60 | |
| 61 | |
| 62 Internet Draft Integer Counter Mode October, 2002 | |
| 63 | |
| 64 | |
| 65 2. Notational Conventions | |
| 66 | |
| 67 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |
| 68 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in | |
| 69 this document are to be interpreted as described in RFC-2119 [B97]. | |
| 70 | |
| 71 | |
| 72 3. Introduction | |
| 73 | |
| 74 Counter Mode is a way to define a pseudorandom keystream generator | |
| 75 using a block cipher [CTR]. The keystream can be used for additive | |
| 76 encryption, key derivation, or any other application requiring | |
| 77 pseudorandom data. | |
| 78 | |
| 79 In ICM, the keystream is logically broken into segments. Each | |
| 80 segment is identified with a segment index, and the segments have | |
| 81 equal lengths. This segmentation makes ICM especially appropriate | |
| 82 for securing packet-based protocols. | |
| 83 | |
| 84 | |
| 85 4. ICM | |
| 86 | |
| 87 In this section, ICM keystream generation and encryption are | |
| 88 defined. | |
| 89 | |
| 90 | |
| 91 4.1. ICM Parameters | |
| 92 | |
| 93 The following parameters are used in ICM. These parameters MUST | |
| 94 remain fixed for any given use of a key. | |
| 95 | |
| 96 Parameter Meaning | |
| 97 ----------------------------------------------------------------- | |
| 98 BLOCK_LENGTH the number of octets in the cipher block | |
| 99 KEY_LENGTH the number of octets in the cipher key | |
| 100 OFFSET_LENGTH the number of octets in the offset | |
| 101 SEGMENT_INDEX_LENGTH the number of octets in the segment index | |
| 102 BLOCK_INDEX_LENGTH the number of octets in the block index | |
| 103 | |
| 104 | |
| 105 4.2. Keystream Segments | |
| 106 | |
| 107 Conceptually, ICM is a keystream generator that takes a secret key | |
| 108 and a segment index as an input and then outputs a keystream | |
| 109 segment. The segmentation lends itself to packet encryption, as | |
| 110 each keystream segment can be used to encrypt a distinct packet. | |
| 111 | |
| 112 A counter is a value containing BLOCK_LENGTH octets which is | |
| 113 | |
| 114 | |
| 115 | |
| 116 McGrew [Page 2] | |
| 117 | |
| 118 | |
| 119 Internet Draft Integer Counter Mode October, 2002 | |
| 120 | |
| 121 | |
| 122 incremented using an increment function based on integer addition, | |
| 123 to produce a sequence of distinct values which are used as inputs to | |
| 124 the block cipher. (In the context of this specification, an integer | |
| 125 is an octet string, the most significant of which is the first.) | |
| 126 The output blocks of the cipher are concatenated to form the | |
| 127 keystream segment. The first octet of the segment is the first | |
| 128 octet of the first output block, and so on. A schematic of this | |
| 129 process is shown in Figure 1. | |
| 130 | |
| 131 | |
| 132 Figure 1. The generation of a keystream segment given a segment | |
| 133 index and a block cipher key K. Here C[i] and S[i] denote the ith | |
| 134 counter and keystream block, respectively. | |
| 135 | |
| 136 segment | |
| 137 index | |
| 138 | | |
| 139 v | |
| 140 C[0] -----> C[1] -----> C[2] -----> ... | |
| 141 | | | | |
| 142 v v v | |
| 143 +---+ +---+ +---+ | |
| 144 K->| E | K->| E | K->| E | ... | |
| 145 +---+ +---+ +---+ | |
| 146 | | | | |
| 147 v v v | |
| 148 S[0] S[1] S[2] ... | |
| 149 | |
| 150 The ith counter C[i] of the keystream segment with segment index s | |
| 151 is defined as | |
| 152 | |
| 153 C[i] = (i + s * (256^BLOCK_INDEX_LENGTH)) (+) r | |
| 154 | |
| 155 where r denotes the shifted Offset, which is defined as the Offset | |
| 156 times 256^(BLOCK_LENGTH - OFFSET_LENGTH). (This multiplication | |
| 157 left-shifts the Offset so that it is aligned with the leftmost | |
| 158 edge of the block.) Here ^ denotes exponentiation and (+) denotes | |
| 159 the bitwise exclusive-or operation. | |
| 160 | |
| 161 The number of blocks in any segment MUST NOT exceed | |
| 162 256^BLOCK_INDEX_LENGTH. The number of segments MUST NOT exceed | |
| 163 256^SEGMENT_INDEX_LENGTH. These restrictions ensure the uniqueness | |
| 164 of each block cipher input. They also imply that each segment | |
| 165 contains no more than (256^BLOCK_INDEX_LENGTH)*BLOCK_LENGTH octets. | |
| 166 | |
| 167 The sum of SEGMENT_INDEX_LENGTH and BLOCK_INDEX_LENGTH MUST NOT | |
| 168 exceed BLOCK_LENGTH / 2. This requirement protects the ICM | |
| 169 keystream generator from potentially failing to be pseudorandom (see | |
| 170 | |
| 171 | |
| 172 | |
| 173 McGrew [Page 3] | |
| 174 | |
| 175 | |
| 176 Internet Draft Integer Counter Mode October, 2002 | |
| 177 | |
| 178 | |
| 179 the rationale). | |
| 180 | |
| 181 Figure 2. An illustration of the structure of a counter with | |
| 182 BLOCK_LENGTH = 8, SEGMENT_INDEX_LENGTH = 2, and BLOCK_INDEX_LENGTH | |
| 183 = 2. The field marked `null' is not part of either the block | |
| 184 or segment indices. | |
| 185 | |
| 186 0 1 2 3 | |
| 187 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |
| 188 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| 189 | null | | |
| 190 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| 191 | segment index | block index | | |
| 192 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| 193 | |
| 194 | |
| 195 4.3. ICM Encryption | |
| 196 | |
| 197 Unless otherwise specified, ICM encryption consists of bitwise | |
| 198 exclusive-oring the keystream into the plaintext to produce | |
| 199 the ciphertext. | |
| 200 | |
| 201 | |
| 202 4.4 ICM KEY | |
| 203 | |
| 204 An ICM key consists of the block cipher key and an Offset. The | |
| 205 Offset is an integer with OFFSET_LENGTH octets, which is used to | |
| 206 `randomize' the logical starting point of keystream. The Offset is | |
| 207 crucial to providing security; see the rationale. The value of | |
| 208 OFFSET_LENGTH SHOULD be at least half that of BLOCK_LENGTH. | |
| 209 | |
| 210 For the purposes of transporting an ICM key, e.g. in a signaling | |
| 211 protocol, that key SHOULD be considered a sequence of octets in | |
| 212 which the block cipher key precedes the Offset. | |
| 213 | |
| 214 | |
| 215 5. Implementation Considerations | |
| 216 | |
| 217 Implementation of the `add one modulo 2^m' operation is simple. For | |
| 218 example, with BLOCK_LENGTH = 8 (m=64), it can be implemented in C as | |
| 219 | |
| 220 if (!++x) ++y; | |
| 221 | |
| 222 where x and y are 32-bit unsigned integers in network byte order. | |
| 223 The implementation of general purpose addition modulo 2^m is | |
| 224 slightly more complicated. | |
| 225 | |
| 226 The fact that the Offset is left-aligned enables an implementation | |
| 227 | |
| 228 | |
| 229 | |
| 230 McGrew [Page 4] | |
| 231 | |
| 232 | |
| 233 Internet Draft Integer Counter Mode October, 2002 | |
| 234 | |
| 235 | |
| 236 to avoid propagating carry values outside of the block index and/or | |
| 237 the segment index. Choosing an OFFSET_LENGTH value equal to half | |
| 238 that of BLOCK_LENGTH avoids all of these carries, since the Offset | |
| 239 is then shifted so that it occupies the most significant octets of | |
| 240 the block, while the block and segment indices occupy the least | |
| 241 significant ones. | |
| 242 | |
| 243 | |
| 244 6. Parameters and Test Vectors for AES | |
| 245 | |
| 246 This section provides ICM parameters and test vectors for AES | |
| 247 with a 128 bit block size and 128 bit key (that is, with a | |
| 248 BLOCK_LENGTH and KEY_LENGTH of 16). | |
| 249 | |
| 250 All integers are expressed in hexadecimal. Each consecutive pair of | |
| 251 hex digits corresponds to an octet, so that the integer | |
| 252 000102030405060708090A0B0C0D0E0F corresponds to the octet sequence | |
| 253 { 00, 01, 02, 02 ... }. | |
| 254 | |
| 255 BLOCK_LENGTH 16 | |
| 256 KEY_LENGTH 16 | |
| 257 OFFSET_LENGTH 14 | |
| 258 SEGMENT_INDEX_LENGTH 6 | |
| 259 BLOCK_INDEX_LENGTH 2 | |
| 260 | |
| 261 Block Cipher Key: 2b7e151628aed2a6abf7158809cf4f3c | |
| 262 Offset: f0f1f2f3f4f5f6f7f8f9fafbfcfd | |
| 263 Segment Index: 000000000000 | |
| 264 Keystream: e03ead0935c95e80e166b16dd92b4eb4 | |
| 265 d23513162b02d0f72a43a2fe4a5f97ab | |
| 266 ... | |
| 267 | |
| 268 The counter values that correspond to the keystream blocks are | |
| 269 outlined below. | |
| 270 | |
| 271 Counter Keystream | |
| 272 | |
| 273 f0f1f2f3f4f5f6f7f8f9fafbfcfd0000 e03ead0935c95e80e166b16dd92b4eb4 | |
| 274 f0f1f2f3f4f5f6f7f8f9fafbfcfd0001 d23513162b02d0f72a43a2fe4a5f97ab | |
| 275 f0f1f2f3f4f5f6f7f8f9fafbfcfd0002 41e95b3bb0a2e8dd477901e4fca894c0 | |
| 276 ... ... | |
| 277 | |
| 278 | |
| 279 7. Security Considerations | |
| 280 | |
| 281 Each block cipher input is distinct for any segment and any block | |
| 282 index. To see this fact, subtract any two counter values with | |
| 283 distinct segment or block indices; the result is non-zero. | |
| 284 | |
| 285 | |
| 286 | |
| 287 McGrew [Page 5] | |
| 288 | |
| 289 | |
| 290 Internet Draft Integer Counter Mode October, 2002 | |
| 291 | |
| 292 | |
| 293 The limitation on the number of segments which can be generated | |
| 294 ensures that the probability with which an adversary can distinguish | |
| 295 the keystream generator from random is negligible. For a | |
| 296 theoretical justification of this fact, see Bellare et. al. [BR98]. | |
| 297 Their analysis shows that if the block cipher cannot be | |
| 298 distinguished from a random permutation, then the keystream | |
| 299 generated by ICM cannot be distinguished from keystream generated by | |
| 300 a truly random process, as long as the length of keystream which is | |
| 301 generated is kept below some threshold. The threshold defined in | |
| 302 Section 4.2 is sufficient for most uses of ICM for encryption. This | |
| 303 specification refrains from dictating a lower threshold in order to | |
| 304 refrain from dictating a particular policy, and to avoid a | |
| 305 complicated digression. | |
| 306 | |
| 307 The use of the Offset, a key-dependent value which randomizes the | |
| 308 starting position of the keystream, is essential for security. The | |
| 309 omission of this mechanism leaves the door open for practical | |
| 310 attacks, such as the key collision attack and Hellman's time-memory | |
| 311 tradeoff attack; see McGrew and Fluhrer [MF00] for a description of | |
| 312 these attacks which is applicable to ICM. Several counter mode | |
| 313 proposals do not include an offset, and are thus vulnerable to these | |
| 314 attacks. | |
| 315 | |
| 316 | |
| 317 8. Rationale | |
| 318 | |
| 319 This speficiation includes input from implementation experience with | |
| 320 several counter mode variants. The goals of ICM are to provide: | |
| 321 | |
| 322 o a secure keystream generator and cipher, and | |
| 323 | |
| 324 o a definition flexible enough that a single implementation can be | |
| 325 used for a variety of applications (e.g., Secure RTP [SRTP], | |
| 326 IPsec ESP [KA96]). | |
| 327 | |
| 328 The Offset slightly increases the key management overhead, but this | |
| 329 minor disadvantage is well outweighed by other savings. The Offset | |
| 330 is no larger than a CBC mode IV, and ICM enables the use of an | |
| 331 explicit IV (as is commonly used with CBC [MD98]) to be avoided. | |
| 332 | |
| 333 | |
| 334 9. History | |
| 335 | |
| 336 This draft is based on draft-mcgrew-saag-icm-00.txt, which was | |
| 337 submitted to SAAG on November, 2001 and which expired in May, 2002. | |
| 338 | |
| 339 The current definition of ICM has changed from the earlier one; the | |
| 340 counter formation is different and the specifications are | |
| 341 | |
| 342 | |
| 343 | |
| 344 McGrew [Page 6] | |
| 345 | |
| 346 | |
| 347 Internet Draft Integer Counter Mode October, 2002 | |
| 348 | |
| 349 | |
| 350 unfortunately not interoperable. This change was motivated by a | |
| 351 considerable amount of feedback on the desirability of admitting | |
| 352 optimizations of the sort described in Section 5, in which the carry | |
| 353 operations of counter addition need not be propagated across a large | |
| 354 register. | |
| 355 | |
| 356 The current definition of ICM is interoperable with that defined in | |
| 357 Secure RTP [SRTP]. | |
| 358 | |
| 359 | |
| 360 10. Acknowledgements | |
| 361 | |
| 362 Thanks are due to Helger Lipmaa, Jerome Etienne, Scott Fluhrer and | |
| 363 Mats Naslund for their helpful discussion and comments. | |
| 364 | |
| 365 | |
| 366 11. Contact Information | |
| 367 | |
| 368 Questions and comments on this draft SHOULD be sent to: | |
| 369 | |
| 370 David A. McGrew | |
| 371 Cisco Systems, Inc. | |
| 372 mcgrew@cisco.com | |
| 373 | |
| 374 and copied to the Crypto Forum Research Group at: | |
| 375 | |
| 376 cfrg@ietf.org. | |
| 377 | |
| 378 | |
| 379 12. References | |
| 380 | |
| 381 | |
| 382 [BR98] M. Bellare, A. Desai, E. Lokipii and P. Rogaway, A | |
| 383 Concrete Security Treatment of Symmetric Encryption: | |
| 384 Analysis of DES Modes of Operation, Proceedings of | |
| 385 the 38th Symposium on Foundations of Computer | |
| 386 Science, IEEE, 1997. | |
| 387 | |
| 388 [B97] S. Bradner, Key words for use in RFCs to Indicate | |
| 389 Requirement Levels, RFC 2119, March 1997. | |
| 390 | |
| 391 [AES] The Advanced Encryption Standard, United States | |
| 392 National Institute for Standards and Technology (NIST), | |
| 393 http://www.nist.gov/aes/. | |
| 394 | |
| 395 [CTR] M. Dworkin, NIST Special Publication 800-38A, | |
| 396 "Recommendation for Block Cipher Modes of Operation: Methods | |
| 397 and Techniques", 2001. Online at | |
| 398 | |
| 399 | |
| 400 | |
| 401 McGrew [Page 7] | |
| 402 | |
| 403 | |
| 404 Internet Draft Integer Counter Mode October, 2002 | |
| 405 | |
| 406 | |
| 407 http://csrc.nist.gov/publications/nistpubs/800-38a/sp800- | |
| 408 38a.pdf. | |
| 409 | |
| 410 [MD98] Madson, C., and Doraswamy, N., "The ESP DES-CBC Cipher | |
| 411 Algorithm With Explicit IV", RFC 2405, November 1998. | |
| 412 | |
| 413 [MF00] D. McGrew and S. Fluhrer, Attacks on Additive Encryption and | |
| 414 Implications on Internet Security, Selected Areas in | |
| 415 Cryptography 2000. | |
| 416 | |
| 417 [SRTP] The Secure Real-time Transport Protocol, Baugher et. al., | |
| 418 Internet Draft, draft-ietf-avt-srtp-05.txt. | |
| 419 | |
| 420 | |
| 421 | |
| 422 | |
| 423 | |
| 424 | |
| 425 | |
| 426 | |
| 427 | |
| 428 | |
| 429 | |
| 430 | |
| 431 | |
| 432 | |
| 433 | |
| 434 | |
| 435 | |
| 436 | |
| 437 | |
| 438 | |
| 439 | |
| 440 | |
| 441 | |
| 442 | |
| 443 | |
| 444 | |
| 445 | |
| 446 | |
| 447 | |
| 448 | |
| 449 | |
| 450 | |
| 451 | |
| 452 | |
| 453 | |
| 454 | |
| 455 | |
| 456 | |
| 457 | |
| 458 McGrew [Page 8] | |
| 459 | |
| 460 | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1434033004:
Update libsrtp to upstream commit be95365fbb4788b688cab7af61c65b7989055fb4 (Closed)
Base URL: https://chromium.googlesource.com/chromium/deps/libsrtp@master