Using AES-GCM-SIV in the Internet Protocol Version 2 (IKEv2) and Encapsulating Security Payload (ESP) Protocols

Introduction An authenticated encryption with associated data (AEAD) algorithm combines encryption and integrity into a single operation and returns ciphertext and an integrity check value (ICV) (also called an authentication tag) over the plaintext or ciphertext and the associated/additional data. A commonly used AEAD algorithm is AES-GCM (the Advanced Encryption Standard (AES) block cipher used in Galois/Counter mode)(GCM) , which offers certain performance advantages over other AES-based options that also provide both confidentiality and message authentication. However, AES-GCM fails catastrophically (i.e., exposes the authentication key) when two different plaintext messages are encrypted with the same key and nonce. While specifications of AES-GCM require a unique nonce per message, this can be difficult to guarantee in practice due to poor random number generation or failure to keep track of state, either of which can result in a nonce repeating. As a nonce-misuse-resistant AEAD, AES-GCM-SIV avoids this failure. In particular, when two messages are encrypted using the same AES-GCM-SIV nonce and key, the ICV/authentication tag associated with each message can only reveal whether it is probable that the two messages are equal. This document specifies the use of AES-GCM-SIV in IKEv2 and ESP. This document also adds AES-GCM-SIV to the IANA IKEv2 registry for "Transform Type 1 - Encryption Algorithm Transform IDs."

Conventions Used in This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

AES-GCM-SIV Overview Though AES-GCM-SIV is based on AES-GCM, there are several key differences between the two algorithms; these differences prevent the specifications for AES-GCM in IKEv2 and ESP from directly supporting AES-GCM-SIV. This section gives an overview of these differences and highlights how these differences manifest in the IKEv2 and ESP protocols. The typical nonce construction for AES-GCM in IKEv2 and ESP is called "partially implicit" (Section 4 of ). It consists of a four-octet salt that is part of the IKEv2 keying material shared between parties (this is the implicit portion), followed by the eight-octet Initialization Vector (IV) included in the Encrypted payload (this is the explicit portion; hence "partially" implicit). It is required that the IV be eight octets and chosen in such a way that is only used once. Note in particular that the IV is defined as a component of this partially implicit nonce. In contrast, the AES-GCM-SIV nonce is a component of the synthetic IV (SIV). Unlike the IV construction in , the SIV is a function of all the AEAD inputs: the 12-octet nonce, the key-generating key, the plaintext, and the associated data. For AES-GCM-SIV, the nonce is random, and does not contain a salt. Specifically, there is no need for a salt because the SIV is already a function of keying material (through the incorporation of the key-generating key). Because of these structural differences, IKEv2 and ESP fields specified for AES-GCM nonce and IV cannot be used for the AES-GCM-SIV nonce and SIV without modification. While the AES-GCM ciphertext (as described in ) and AES-GCM-SIV ciphertext both include an authentication tag, the authentication tag for AES-GCM can be 8, 12, or 16 octets. In contrast, the authentication tag for AES-GCM-SIV MUST be 16 octets. This is because the AES-GCM-SIV authentication tag is needed to decrypt ciphertext, so it must be transmitted in full (i.e., not truncated).

AES-GCM-SIV in IKEv2 The Internet Key Exchange version 2 protocol is a component of IPsec that establishes a Security Association (SA) with a shared session secret from which cryptographic keys are derived. This SA can facilitate the establishment of further SAs for Encapsulating Security Payload (ESP) or Authentication Header , and the cryptographic keys are used to protect the traffic carried by each SA. specifies generally how to negotiate and use cryptographic algorithms that provide properties such as encryption and integrity of the IKE SA. specifies how to use AES-GCM as a Transform Type 1 algorithm to provide both encryption and integrity to the IKEv2 SA. This section specifies how to use AES-GCM-SIV for the same purpose and uses portions of as a baseline.

IKEv2 Encrypted Payload Data The Encrypted payload (Section 3.14 of ) contains all the payloads of a given IKEv2 message in encrypted form. Section 3 (or Figure 1) of updates the format of the Encrypted payload as depicted in Figure 21 of in the case that one of the authenticated encryption algorithms AES-GCM or AES-CCM are used. This updated format contains two fields: an 8-octet Initialization Vector field followed by a variable-length Ciphertext field. The Encrypted payload format for AES-GCM-SIV aligns with the modified format from with one exception: instead of an Initialization Vector field, the AES-GCM-SIV Encrypted payload format includes a Nonce field in its place. Then, the Encrypted payload has the following structure:

Nonce: a twelve-octet AES-GCM-SIV nonce, followed by
Ciphertext: a variable-length ciphertext.

The Nonce field contains a randomly-generated 96-bit (12-octet) value. [EDNOTE: Is it acceptable to rename the IV field to Nonce, or should this guidance use the same field name and just clarify that the IV field contains the nonce instead of IV?] The Ciphertext field contains the ciphertext as specified by . The ciphertext as specified by contains a 16-octet authentication tag, making it 16 octets longer than the corresponding plaintext. While the AES-GCM ciphertext (as described in ) and AES-GCM-SIV ciphertext both include an authentication tag, the authentication tag for AES-GCM can be 8, 12, or 16 octets. In contrast, the authentication tag for AES-GCM-SIV MUST be 16 octets. For both AES-GCM and AES-GCM-SIV, the presence of the authentication tag in the Ciphertext field makes it so that a separate Integrity Check Value field in the Encrypted payload is not needed. Note that the ciphertext calculation inputs described in Section 3 of differ from the inputs used for the AES-GCM-SIV ciphertext calculation.

IKEv2 Keying Material Parties in IKEv2 generate a quantity called SKEYSEED from which all keys used in the IKEv2 SA are derived (Section 2.14 of ). AES-GCM-SIV uses one of these keys, SK_e[i/r], as a key-generating key from which to derive further keying material. SK_e[i/r] is either 128 or 256 bits, depending on whether AES-128 or AES-256 is in use. In particular, the key-generating key and the 96-bit nonce are used to derive a 128-bit message-authentication key and either a 128-bit or 256-bit (consistent with the length of the key-generating key, for use in AES-128 or AES-256 respectively) message-encryption key (see Section 4 of ). Note that this process differs from the encryption method employed by AES-GCM, in which (SK_e[i/r]) is used directly (instead of being used first to generate a message-encryption key). The authentication keys SK_a[i/r] from SKEYSEED are treated as having a length of zero octets and are not used, consistent with the treatment of SK_a[i/r] for AES-GCM by Section 7.1 of .

Associated Data Construction The construction of the associated data for AES-GCM-SIV (referred to as "additional data" by ) is as specified for AES-GCM in Section 5.1 of .

AES-GCM-SIV in ESP

ESP Payload Data ESP packets contain a variable-length field, called Payload Data . The format of the Payload Data field is dependent upon the encryption algorithm being used. In the case of AES-GCM-SIV, the ESP Payload Data field is composed of two subfields:

Nonce: a twelve-octet AES-GCM-SIV nonce, followed by
Ciphertext: a variable-length ciphertext.

The Nonce field contains a randomly-generated 96-bit (12-octet) value. Note that the nonce is akin to the 8-octet Initialization Vector shown in Figure 1 of . The instantiation of the Ciphertext field is consistent with the specification for AES-GCM in Section 3.2 of . Note that while the AES-GCM-SIV ciphertext as per contains a 16-octet authentication tag at the end, this tag MUST NOT be included in the Ciphertext field here; it is instead included as the Integrity Check Value (discussed in Section 4.2). [EDNOTE: Is this the preferred way to format AEADs for ESP (vs. including the authentication tag in the Ciphertext field and leaving the ICV field empty)? It seems to be what other RFCs have done.]

ESP Integrity Check Value (ICV) The ESP Packet Format depicted in Figure 1 of includes a variable-length Integrity Check Value (ICV) field. This field contains the AES-GCM-SIV 16-octet authentication tag (i.e., the last 16 octets of the AES-GCM-SIV ciphertext. The ICV is the 16-octet AES-GCM-SIV Authentication Tag.

ESP Keying Material The transform keys are extracted from the KEYMAT as defined in Section 2.17 of . When AES-GCM-SIV with AES-128 is used, 16 octets are extracted; when AES-GCM-SIV with AES-256 is used, 32 octets are extracted.

Additional Authenticated Data Construction The construction of the Additional Authenticated Data (AAD) for AES-GCM-SIV is as specified for AES-GCM-SIV in Section 5 of .

Security Considerations This document inherits the security considerations of .

Operational Considerations Implementers of IPsec may assess the benefits and drawbacks of using AES-GCM-SIV in a given deployment scenario versus another AEAD algorithm. While AES-GCM-SIV decryption speed is comparable to that of AES-GCM, its encryption runs at about two thirds the speed of AES-GCM encryption. Because of this, it is not prudent to view AES-GCM-SIV as a blanket replacement for AES-GCM. recommends that AES-GCM-SIV be used in any scenario where nonce uniqueness cannot be guaranteed, such as when there is no stateful counter, or when multiple encryptors use the same key.

IANA Considerations This document adds the following algorithm to the IANA "Transform Type 1 - Encryption Algorithm Transform IDs" registry for use in both IKEv2 and ESP: