Internet Draft IPsec Working Group November 2001 S. Frankel, NIST Expiration Date: May 2002 S. Kelly, SonicWALL R. Glenn, NIST The AES Cipher Algorithm and Its Use With IPsec Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working Groups. Note that other groups may also distribute working documents as Internet Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Drafts Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This document is a submission to the IETF Internet Protocol Security (IPsec) Working Group. Comments are solicited and should be addressed to the working group mailing list (ipsec@lists.tislabs.com) or to the editors. Distribution of this memo is unlimited. Abstract This document describes the use of the AES Cipher Algorithm in Cipher Block Chaining Mode, with an explicit IV, as a confidentiality mecha- nism within the context of the IPsec Encapsulating Security Payload (ESP). Frankel,Glenn,Kelly [Page 1] INTERNET DRAFT November 2001 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1 Specification of Requirements . . . . . . . . . . . . . . . 3 2. The AES Cipher Algorithm . . . . . . . . . . . . . . . . . . . . 3 2.1 Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.2 Key Size . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.3 Weak Keys . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.4 Block Size and Padding . . . . . . . . . . . . . . . . . . . 4 2.5 Rounds . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.6 Additional Information . . . . . . . . . . . . . . . . . . . 5 2.7 Performance . . . . . . . . . . . . . . . . . . . . . . . . 5 3. ESP Payload . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.1 ESP Algorithmic Interactions . . . . . . . . . . . . . . . . 6 3.2 Keying Material . . . . . . . . . . . . . . . . . . . . . . 6 4. IKE Interactions . . . . . . . . . . . . . . . . . . . . . . . . 6 4.1 Phase 1 Identifier . . . . . . . . . . . . . . . . . . . . . 6 4.2 Phase 2 Identifier . . . . . . . . . . . . . . . . . . . . . 6 4.3 Key Length Attribute . . . . . . . . . . . . . . . . . . . . 6 4.4 Diffie-Hellman Groups . . . . . . . . . . . . . . . . . . . 6 4.4.1 Relative Strength . . . . . . . . . . . . . . . . . . 7 4.5 Hash Algorithm Considerations . . . . . . . . . . . . . . . 8 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 9 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 9 7. Intellectual Property Rights Statement . . . . . . . . . . . . . 9 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 10 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 10. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 11. Full Copyright Statement . . . . . . . . . . . . . . . . . . . . 12 Frankel,Glenn,Kelly [Page 2] INTERNET DRAFT November 2001 1. Introduction As the culmination of a four-year competitive process, NIST (the Na- tional Institute of Standards and Technology) has selected the AES (Advanced Encryption Standard), the successor to the venerable DES. The competition was an open one, with public participation and com- ment solicited at each step of the process. The AES, formerly known as Rijndael, was chosen from a field of five finalists. The final AES selection was made on the basis of several additional characteristics: + computational efficiency and memory requirements on a variety of software and hardware, including smart cards + flexibility, simplicity and ease of implementation The AES will be the government's designated encryption cipher, and will be definitively described in a FIPS (Federal Information Pro- cessing Standard), expected to be completed by summer 2001. The expectation is that the AES will suffice to protect sensitive (unclassified) government information at least until the next cen- tury. It is also expected to be widely adopted by businesses and financial institutions. It is the intention of the IETF IPsec Working Group that AES will eventually be adopted as the default IPsec ESP cipher and will obtain the status of MUST be included in compliant IPsec implementations. The remainder of this document specifies the use of the AES within the context of IPsec ESP. For further information on how the various pieces of ESP fit together to provide security services, refer to [ARCH], [ESP], and [ROAD]. 1.1 Specification of Requirements The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" that appear in this document are to be interpreted as described in [RFC-2119]. 2. The AES Cipher Algorithm All symmetric block cipher algorithms share common characteristics and variables, including mode, key size, weak keys, block size, and rounds. The following sections contain descriptions of the relevant characteristics of the AES cipher. 2.1 Mode No operational modes are currently defined for the AES cipher. NIST is in the process of developing a modes of operation FIPS for AES Frankel,Glenn,Kelly [Page 3] INTERNET DRAFT November 2001 [MODES]. However, the Cipher Block Chaining (CBC) mode is well- defined and well-understood for symmetric ciphers, and is currently required for all other ESP ciphers. This document specifies the use of the AES cipher in CBC mode within ESP. This mode requires an Ini- tialization Vector (IV) that is the same size as the block size. Use of a randomly generated IV prevents generation of identical cipher- text from packets which have identical data that spans the first block of the cipher algorithm's block size. The IV is XOR'd with the first plaintext block before it is encrypted. Then for successive blocks, the previous ciphertext block is XOR'd with the current plaintext, before it is encrypted. More information on CBC mode can be obtained in [CRYPTO-S]. For the use of CBC mode in ESP with 64-bit ciphers, see [CBC]. 2.2 Key Size Some cipher algorithms allow for variable sized keys, while others only allow specific, pre-defined key sizes. The length of the key typically correlates with the strength of the algorithm; thus larger keys are usually harder to break than shorter ones. This document specifies the default (i.e. MUST be supported) key size for the AES cipher algorithm. The default key size that implementa- tions MUST support for IPsec is 128 bits. In addition, implementa- tions MAY support key sizes of 192 and 256 bits. 2.3 Weak Keys At the time of writing this document there are no known weak keys for the AES. Some cipher algorithms have weak keys or keys that MUST not be used due to their interaction with some aspect of the cipher's definition. If weak keys are discovered for the AES, then weak keys SHOULD be checked for and discarded when using manual key management. When using dynamic key management, such as [IKE], weak key checks SHOULD NOT be performed as they are seen as an unnecessary added code com- plexity that could weaken the intended security [EVALUATION]. 2.4 Block Size and Padding The AES uses a block size of sixteen octets (128 bits). Padding is required by the AES to maintain a 16-octet (128-bit) blocksize. Padding MUST be added, as specified in [ESP], such that the data to be encrypted (which includes the ESP Pad Length and Next Header fields) has a length that is a multiple of 16 octets. Because of the algorithm specific padding requirement, no additional padding is required to ensure that the ciphertext terminates on a 4-octet boundary (i.e. maintaining a 16-octet blocksize guarantees that the ESP Pad Length and Next Header fields will be right aligned Frankel,Glenn,Kelly [Page 4] INTERNET DRAFT November 2001 within a 4-octet word). Additional padding MAY be included, as specifed in [ESP], as long as the 16-octet blocksize is maintained. 2.5 Rounds This variable determines how many times a block is encrypted. While this variable MAY be negotiated, a default value MUST always exist when it is not negotiated. Within IPsec, the AES MUST support 10 rounds, corresponding to the mandatory 128-bit keysize. The AES's default number of rounds is 12 for a 192-bit keysize and 14 for a 256-bit keysize. 2.6 Additional Information AES was invented by Joan Daemen from Banksys/PWI and Vincent Rijmen from ESAT-COSIC, both in Belgium, and is available world-wide on a royalty-free basis. It is not covered by any patents, and the Rijn- dael homepage contains the following statement: "Rijndael is avail- able for free. You can use it for whatever purposes you want, irre- spective of whether it is accepted as AES or not." AES's description can be found in [RIJNDAEL]. The Rijndael homepage is: http://www.esat.kuleuven.ac.be/~rijmen/rijndael/. The AES homepage, http://www.nist.gov/aes, contains a wealth of in- formation about the AES, including a definitive description of the AES algorithm, performance statistics, test vectors and intellectual property information. This site also contains information on how to obtain an AES reference implementation from NIST. 2.7 Performance For a comparison table of the estimated speeds of AES and other ci- pher algorithms, please see [PERF-1], [PERF-2], [PERF-3], or [PERF-4]. The AES homepage has pointers to other analyses. The AES cypher document [RIJNDAEL] also contains performance statistics. 3. ESP Payload The ESP payload is made up of the IV followed by raw cipher-text. Thus the payload field, as defined in [ESP], is broken down according to the following diagram: +---------------+---------------+---------------+---------------+ | | + Initialization Vector (16 octets) + | | +---------------+---------------+---------------+---------------+ | | ~ Encrypted Payload (variable length, a multiple of 16 octets) ~ | | +---------------------------------------------------------------+ The IV field MUST be the same size as the block size of the cipher Frankel,Glenn,Kelly [Page 5] INTERNET DRAFT November 2001 algorithm being used. The IV MUST be chosen at random. Common prac- tice is to use random data for the first IV and the last block of en- crypted data from an encryption process as the IV for the next en- cryption process. Including the IV in each datagram ensures that decryption of each re- ceived datagram can be performed, even when some datagrams are dropped, or datagrams are re-ordered in transit. To avoid CBC encryption of very similar plaintext blocks in different packets, implementations MUST NOT use a counter or other low-Hamming distance source for IVs. 3.1 ESP Algorithmic Interactions Currently, there are no known issues regarding interactions between the AES and other aspects of ESP, such as use of certain authentica- tion schemes. 3.2 Keying Material The minimum number of bits sent from the key exchange protocol to the ESP algorithm must be greater than or equal to the key size. The cipher's encryption and decryption key is taken from the first bits of the keying material, where represents the required key size. 4. IKE Interactions 4.1 Phase 1 Identifier For Phase 1 negotiations, IANA has assigned an Encryption Algorithm ID of 7 for AES-CBC. 4.2 Phase 2 Identifier For Phase 2 negotiations, IANA has assigned an ESP Transform Identi- fier of 12 for ESP_AES. 4.3 Key Length Attribute Since the AES allows variable key lengths, the Key Length attribute MUST be specified in both a Phase 1 exchange [IKE] and a Phase 2 ex- change [DOI]. 4.4 Diffie-Hellman Groups The Diffie-Hellman algorithm is the basis of cryptographic key ex- change within IPsec. The algorithm may be implemented using either "MODP" (modulus-exponent) groups or "EC" (elliptic curve) groups. The general procedure is as follows: the initiator chooses a random expo- nent x with K bits of entropy that is 2K bits in length (the K bits may be hashed to produce 2K bits), and then computes g^x using the Frankel,Glenn,Kelly [Page 6] INTERNET DRAFT November 2001 group operation: X = g^x For MODP the group operation is modular multiplication, while for EC the operation is point addition on the curve. The notation "g^x" means "iterate the group operation x times". X is then sent to the responder. The responder chooses a secret number y, and similarly computes Y = g^y which is in turn sent to the initiator. At this point, both the ini- tiator and responder may compute a shared secret value by combining their own secret value with the exponential and applying the group operation: Z = g^(xy) = Y^x = X^y From Z, both derive identical cryptographic keys. This description is simplified in the interest of brevity, and an in- depth description of this mechanism is beyond the scope of this memo. For further details, refer to the wealth of published literature on this topic. 4.4.1 Relative Strength The relative strength of the encryption keys derived via the Diffie- Hellman exchange may be characterized in terms the randomness of the participant's exponents and the strength of the Diffie-Hellman group; if an exponent has at least 128 completely random bits, it is said to have 128-bits of "entropy". If the Diffie-Hellman group cannot be broken in less time than searching a 128-bit key space, then the de- rived 128-bit key is said to have 128 bits of "strength". For an in- depth discussion regarding relative strength of values derived from DH exchanges, see [KEYLEN-1]. In some cases, one may choose to settle for an amount of entropy which is less than that of a completely random key of the given size. There are numerous reasons for making such a choice, among which might include a concern for the computational effort required to com- plete the key exchange. For example, the following table lists recom- mended modulus and exponent sizes for various key lengths using ei- ther MODP or EC groups. Frankel,Glenn,Kelly [Page 7] INTERNET DRAFT November 2001 +===========+=================+================+===============+ | Key Size | Exponent Size | Modulus Size | Group Type | +===========+=================+================+===============+ | 128 | 256 | 3240 | MODP | +-----------+-----------------+----------------+---------------+ | 192 | 384 | 7945 | MODP | +-----------+-----------------+----------------+---------------+ | 256 | 512 | 15430 | MODP | +-----------+-----------------+----------------+---------------+ | 128 | 248 | 248 | EC2N | +-----------+-----------------+----------------+---------------+ | 192 | 376 | 376 | EC2N | +-----------+-----------------+----------------+---------------+ | 256 | 504 | 504 | EC2N | +-----------+-----------------+----------------+---------------+ NOTE: This table is based on Section 4.5 in [KEYLEN-1] and on email communications with Hilarie Orman [KEYLEN-2]. Note that the sizes of the moduli and exponents for the MODP groups in the table above are very large, and the computational effort re- quired to complete the exponentiation and modulo operations with such large values is quite significant using hardware commonly available in the year 2001. If such considerations are deemed important, then keys larger than 128 bits SHOULD NOT be used. Further, if it is de- termined that less than 128 bits of strength will suffice for the se- curity requirements of the given application, then smaller exponents and moduli may be used. [GROUPS] defines four additional Diffie-Hellman MODP groups for IKE. Two of these groups, a 3072-bit MODP group and a 4096-bit MODP group, could be used to establish 128-bit AES keys. [IKE-ECC] defines four additional Diffie-Hellman ECC groups for IKE. Two of these groups, Group 8 and 9, both of which are 283-bit ECC groups, could be used to establish 128-bit AES keys. Additional information about the rela- tionship between the group governing a Diffie-Hellman exchange and the symmetric keys derived from the exchange can be found in [KEYLEN-1]. 4.5 Hash Algorithm Considerations A companion competition, to select the successor to SHA-1, the wide- ly-used hash algorithm, recently concluded. The resulting hashes, called SHA-256, SHA-384 and SHA-512 [SHA2-1] are capable of producing output of three different lengths (256, 384 and 512 bits), sufficient for the generation (within IKE) and authentication (within ESP) of the three AES key sizes (128, 192 and 256 bits). IANA has already assigned Phase 1 Hash Algorithm values of 4, 5 and 6 to SHA2-256, SHA2-384, and SHA2-512. IANA has also assigned AH Transform Identi- fiers of 5, 6 and 7 to AH_SHA2-256, AH_SHA2-384, and AH_SHA2-512.) However, HMAC-SHA-1 [HMAC-SHA] and HMAC-MD5 [HMAC-MD5] are currently considered of sufficient strength to serve both as IKE generators of 128-bit AES keys and as ESP authenticators for AES encryption using Frankel,Glenn,Kelly [Page 8] INTERNET DRAFT November 2001 128-bit keys. 5. Security Considerations Implementations are encouraged to use the largest key sizes they can when taking into account performance considerations for their partic- ular hardware and software configuration. Note that encryption nec- essarily impacts both sides of a secure channel, so such considera- tion must take into account not only the client side, but the server as well. However, a key size of 128 bits is considered secure for the foreseeable future. Because the AES algorithm is relatively new and has only undergone limited cryptographic analysis, its use in IPsec implementations should be considered experimental. Once NIST has published the AES FIPS, and at the recommendation of cryptographic experts, AES should become a default and mandatory-to-implement cipher algorithm for IPsec. For more information regarding the necessary use of random IV values, see [CRYPTO-B]. For further security considerations, the reader is encouraged to read [RIJNDAEL]. 6. IANA Considerations IANA has assigned Encryption Algorithm ID 7 to AES-CBC. IANA has assigned ESP Transform Identifier 12 to ESP_AES. 7. Intellectual Property Rights Statement Pursuant to the provisions of [RFC-2026], the authors represent that they have disclosed the existence of any proprietary or intellectual property rights in the contribution that are reasonably and personal- ly known to the authors. The authors do not represent that they per- sonally know of all potentially pertinent proprietary and intellectu- al property rights owned or claimed by the organizations they repre- sent or third parties. The IETF takes no position regarding the validity or scope of any in- tellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this doc- ument or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards- related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF Secretariat. Frankel,Glenn,Kelly [Page 9] INTERNET DRAFT November 2001 8. Acknowledgments Portions of this text, as well as its general structure, were un- abashedly lifted from [CBC]. The authors want to thank Hilarie Orman for providing expert advice (and a sanity check) on key sizes, requirements for Diffie-Hellman groups, and IKE interactions. 9. References [ARCH] Kent, S. and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401, November 1998. [CBC] Pereira, R. and R. Adams, "The ESP CBC-Mode Cipher Algorithms," RFC 2451, November 1998. [CRYPTO-B] Bellovin, S., "Probable Plaintext Cryptanalysis of the IP Security Protocols", Proceedings of the Symposium on Network and Distributed System Security, San Diego, CA, pp. 155-160, February 1997. http://www.research.att.com/~smb/probtxt.{ps, pdf}) [CRYPTO-S] B. Schneier, "Applied Cryptography Second Edition", John Wiley & Sons, New York, NY, 1995, ISBN 0-471-12845-7. [DOI] Piper, D., "The Internet IP Security Domain of Interpretation for ISAKMP," RFC 2407, November 1998. [ESP] Kent, S. and R. Atkinson, "IP Encapsulating Security Payload (ESP)", RFC 2406, November 1998. [EVALUATION] Ferguson, N. and B. Schneier, "A Cryptographic Evaluation of IPsec," Counterpane Internet Security, Inc., January 2000. [GROUPS] Kivinen, T. and M. Kojo, "More MODP Diffie-Hellman groups for IKE," draft-ietf-ipsec-ike-modp- groups-00.txt, October 2000. [HMAC-MD5] Madson, C. and R. Glenn, "The Use of HMAC-MD5-96 within ESP and AH," RFC 2403, November 1998. [HMAC-SHA] Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96 within ESP and AH," RFC 2404, November 1998. [IKE] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)", RFC 2409, November 1998. [IKE-ECC] Panjwani, P. and Y. Poeluev, "Additional ECC Groups For IKE," draft-ietf-ipsec-ike-ecc-groups-02.txt, May 2000. Frankel,Glenn,Kelly [Page 10] INTERNET DRAFT November 2001 [KEYLEN-1] Orman, H. and P. Hoffman, "Determining Strengths For Public Keys Used For Exchanging Symmetric Keys," draft- orman-public-key-lengths-01.txt, August 2000. [KEYLEN-2] Orman, H., email communications, February 2000. [MODES] "Symmetric Key Block Cipher Modes of Operation." http://www.nist.gov/modes [PERF-1] Bassham, L. III, "Efficiency Testing of ANSI C Implementations of Round1 Candidate Algorithms for the Advanced Encryption Standard." http://csrc.nist.gov/encryption/aes/round1/r1-ansic.pdf [PERF-2] Lipmaa, Helger, "Efficiency Testing Table." http://home.cyber.ee/helger/aes [PERF-3] Nechvetal, J., E. Barker, D. Dodson, M. Dworkin, J. Foti and E. Roback, "Status Report on the First Round of the Development of the Advanced Encryption Standard." http://csrc.nist.gov/encryption/aes/round1/r1report.pdf [PERF-4] Schneier, B., J. Kelsey, D. Whiting, D. Wagner, C. Hall, and N. Ferguson, "Performance Comparison of the AES Submissions." http://www.counterpane.com/AES-performance.html [RFC-2026] Bradner, S., "The Internet Standards Process -- Revision 3", RFC2026, October 1996. [RFC-2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC-2119, March 1997. [RIJNDAEL] Daemen, J. and V. Rijman, "AES Proposal: Rijndael," NIST AES Proposal, Jun 1998. http://csrc.nist.gov/encryption/aes/round2/AESAlgs/Rijndael/Rijndael.pdf [ROAD] Thayer, R., N. Doraswamy and R. Glenn, "IP Security Document Roadmap", RFC 2411, November 1998. [SHA2-1] "Descriptions of SHA-256, SHA-384, and SHA-512." http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf. 10. Authors' Addresses Sheila Frankel NIST 820 West Diamond Ave. Room 680 Gaithersburg, MD 20899 Phone: +1 (301) 975-3297 Frankel,Glenn,Kelly [Page 11] INTERNET DRAFT November 2001 Email: sheila.frankel@nist.gov Scott Kelly SonicWALL, Inc. 1160 Bordeaux Dr. Sunnyvale, CA 94089 Phone: +1 (408) 745-9600 Email: skelly@sonicwall.com Rob Glenn NIST 820 West Diamond Ave. Room 605 Gaithersburg, MD 20899 Phone: +1 (301) 975-3667 Email: rob.glenn@nist.gov The IPsec working group can be contacted through the chairs: Barbara Fraser Cisco Systems Inc. Email: byfraser@cisco.com Theodore T'so Massachusetts Institute of Technology Email: tytso@mit.edu 11. Full Copyright Statement Copyright (C) The Internet Society (1998). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this doc- ument itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other In- ternet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights de- fined in the Internet Standards process must be followed, or as re- quired to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HERE- IN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MER- CHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Frankel,Glenn,Kelly [Page 12]