Network Working Group W. Kim Internet-Draft J. Lee Intended status: Informational J. Park Expires: March 18, 2012 D. Kwon NSRI September 15, 2011 The ARIA Cipher Algorithm and Its Use with IPsec draft-nsri-ipsecme-aria-ipsec-00 Abstract This document describes the use of the ARIA block cipher algorithm in conjunction with several different modes of operation within IKE and IPsec. It describes the use of ARIA in CBC, CTR, GCM and CCM modes to encrypt and/or authenticate IKE and ESP traffic. It also describes the use of ARIA in XCBC, CMAC, and GMAC modes to authenticate IKE, ESP and AH traffic. The use of ARIA in XCBC and CMAC modes for pseudorandom functions is also included. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on March 18, 2012. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect Kim, et al. Expires March 18, 2012 [Page 1] Internet-Draft ARIA Cipher with IPsec September 2011 to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. ARIA . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Modes of Operation . . . . . . . . . . . . . . . . . . . . 3 1.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Encryption and Combined Mode Algorithms . . . . . . . . . . . . 4 2.1. ARIA-CBC and ARIA-CTR . . . . . . . . . . . . . . . . . . . 4 2.2. ARIA-CCM and ARIA-GCM . . . . . . . . . . . . . . . . . . . 4 3. Integrity-Protection (Authentication) Algorithms . . . . . . . 5 3.1. ARIA-XCBC and ARIA-CMAC . . . . . . . . . . . . . . . . . . 5 3.2. ARIA-GMAC . . . . . . . . . . . . . . . . . . . . . . . . . 5 4. Pseudo-Random Functions (PRFs) . . . . . . . . . . . . . . . . 5 5. IKEv2 Conventions . . . . . . . . . . . . . . . . . . . . . . . 5 5.1. Keying Material . . . . . . . . . . . . . . . . . . . . . . 6 5.2. Transform Type 1 . . . . . . . . . . . . . . . . . . . . . 6 5.3. Transform Type 2 . . . . . . . . . . . . . . . . . . . . . 6 5.4. Transform Type 3 . . . . . . . . . . . . . . . . . . . . . 6 5.5. Key Length Attribute . . . . . . . . . . . . . . . . . . . 6 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 7 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 8.1. Normative References . . . . . . . . . . . . . . . . . . . 8 8.2. Informative References . . . . . . . . . . . . . . . . . . 9 Kim, et al. Expires March 18, 2012 [Page 2] Internet-Draft ARIA Cipher with IPsec September 2011 1. Introduction This document describes how to use ARIA in conjunction with several different modes of operation within IKE [RFC5996] and IPsec ([RFC4301][RFC4302][RFC4303]). Within IKE, it is used either to protect the IKE SA's traffic (encryption and integrity-protection algorithms) or to generate keying material (pseudorandom functions). Within IPsec, it is used to protect the IPsec/child SA's traffic, and IKE is capable of negotiating its use for that purpose. For encryption algorithms, the use of ARIA in cipher block chaining (CBC) mode and counter (CTR) mode is described. Both are used to encrypt IKE and/or ESP traffic, providing confidentiality protection to the traffic. For integrity-protection algorithms, the use of ARIA in eXtended CBC (XCBC) mode, CMAC mode and GMAC mode is described. These are used to authenticate IKE and/or IPsec traffic, providing integrity protection to the traffic. For combined mode algorithms, the use of ARIA in counter with CBC-MAC (CCM) mode and Galois/Counter Mode (GCM) is described. Both are used to encrypt and integrity protect IKE and/or ESP traffic, providing both confidentiality and integrity protection to the traffic. For pseudorandom functions, the use of ARIA in XCBC mode and CMAC mode is described. Both are used to generate the secret keys that are used in IKE SAs and IPsec SAs. This document does not provide an overview of IPsec. However, information about how the various components of IPsec and the way in which they collectively provide security services is available in [RFC4301], [RFC4302], [RFC4303] and [RFC5996]. 1.1. ARIA ARIA is a general-purpose block cipher algorithm developed by Korean cryptographers in 2003. It is an iterated block cipher with 128-, 192-, and 256-bit keys and encrypts 128-bit blocks in 12, 14, and 16 rounds, depending on the key size. It is secure and suitable for most software and hardware implementations on 32-bit and 8-bit processors. It was established as a Korean standard block cipher algorithm in 2004 [ARIAKS] and has been widely used in Korea, especially for government-to-public services. It was included in PKCS #11 in 2007 [ARIAPKCS]. The algorithm specification and object identifiers are described in [RFC5794]. 1.2. Modes of Operation Block ciphers ARIA and AES share common characteristics including key size and block length. ARIA does not have any restrictions for modes of operation that are used with this block cipher. So several definitions for ARIA modes of operation such as changes to packet Kim, et al. Expires March 18, 2012 [Page 3] Internet-Draft ARIA Cipher with IPsec September 2011 formats, detailed algorithmic computations, and special considerations within relevant protocols can be specified according as those which were previously specified for AES. This document does not describe such definitions appropriate for the specific ARIA mode of operation, but attempts to indicate the reference of the corresponding AES mode of operation. The only difference in the processing is that the underlying encryption primitive is ARIA instead of AES. 1.3. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2. Encryption and Combined Mode Algorithms We specify four algorithms within IKE and IPsec ESP, (1) ARIA in CBC Mode (ARIA-CBC), (2) ARIA in CTR Mode (ARIA-CTR), (3) ARIA in CCM Mode (ARIA-CCM) and (4) ARIA in GCM (ARIA-GCM). ARIA-CBC and ARIA-CTR are used to encrypt IKE and/or ESP traffic. When ARIA-CTR is used to provide confidentiality, the use of integrity protection is strongly recommended. As a single algorithm which can provide both encryption and integrity protection, ARIA-CCM and ARIA-GCM are used for IKE and/or ESP traffic. 2.1. ARIA-CBC and ARIA-CTR The use of ARIA-CBC and ARIA-CTR within ESP is defined as AES-CBC [RFC3602] and AES-CTR [RFC3686]. [RFC3602] can also be a reference of ARIA-CBC within IKE, while ARIA-CTR within IKE refers to [RFC5930], which extends [RFC3686] to enable the use of AES-CTR to provide confidentiality for IKEv2 traffic. 2.2. ARIA-CCM and ARIA-GCM The use of ARIA-CCM and ARIA-GCM within ESP is defined as AES-CCM [RFC4309] and AES-GCM [RFC4106]. The use of ARIA-CCM and ARIA-GCM within IKE is defined as AES in [RFC5282]. ARIA-CCM is a block-mode algorithm with a random IV that is sent in the packet along with the encrypted data, a 24-bit salt value; a 128-bit key and ICV sizes of 64, 96 and 128 bits. ARIA-GCM has the same structure with ARIA-CCM, except that a 32-bit salt value is used. Kim, et al. Expires March 18, 2012 [Page 4] Internet-Draft ARIA Cipher with IPsec September 2011 3. Integrity-Protection (Authentication) Algorithms We specify three algorithms within IKE and IPsec, (1) ARIA in eXtended CBC Mode (ARIA-XCBC), (2) ARIA in CMAC Mode (ARIA-CMAC) and (3) ARIA in GMAC Mode (ARIA-GMAC). These are block cipher modes of operation providing integrity-protection, and can be used as an authentication mechanism within the context of the IKE and/or IPsec AH and ESP protocols. This protection is provided by computing an Integrity Check Value (ICV), which is included in the packet. 3.1. ARIA-XCBC and ARIA-CMAC XCBC and CMAC are variants of CBC-MAC, which are secure for message of varying lengths (unlike classic CBC-MAC). The use of ARIA-XCBC and ARIA-CMAC is defined as AES-XCBC [RFC3566] and AES-CMAC [RFC4494]. Both are integrity-protection algorithms with a 128-bit block and 128-bit key and 128-bit ICV. For use within IKE and IPsec, the ICV is truncated to 96 bits. 3.2. ARIA-GMAC ARIA-GMAC is a variant of ARIA-GCM that provides integrity protection without encryption. It has two versions: an integrity-protection algorithm for use within AH, and a combined mode algorithm with null encryption for use within ESP. It can use key sizes of 128, 192, and 256 bits; the ICV is always 128 bits, and is not truncated. The use ARIA-GMAC within IPsec is defined as AES-GMAC [RFC4543]. ARIA-GMAC cannot be used by IKE to protect its own SAs, since IKE SA traffic requires encryption. 4. Pseudo-Random Functions (PRFs) IKE uses pseudorandom functions (PRFs) to generate the secret keys that are used in IKE SAs and IPsec SAs. These PRFs are generally the same algorithms used for integrity protection, but their output is not truncated, since all of the generated bits are used for the keys in general. We specify two algorithms within IKE as PRFs, (1) ARIA-XCBC and (2) ARIA-CMAC. The use of ARIA-XCBC and ARIA-CMAC within IKE is defined as AES-XCBC [RFC4434] and AES-CMAC [RFC4615]. 5. IKEv2 Conventions This section describes the conventions used to generate keying material for use with ARIA modes of operation using the Internet Key Exchange (IKEv2). The identifiers and attributes needed to negotiate Kim, et al. Expires March 18, 2012 [Page 5] Internet-Draft ARIA Cipher with IPsec September 2011 a security association that uses ARIA modes of operation are also specified. 5.1. Keying Material The PRF in IKE is used iteratively to derive keying material of arbitrary size, called KEYMAT. Keying material consisting of the actual ARIA key and the nonce is extracted from the output string without regard to boundaries, but is derived in the same way as AES modes of operation. 5.2. Transform Type 1 For IKEv2 negotiations, IANA is requested to assign IKE Transform Type 1 Identifiers for ARIA-CBC, ARIA-CTR, ARIA-CCM and ARIA-GCM, as recorded in Section 7. 5.3. Transform Type 2 For IKEv2 negotiations, IANA is requested to assign IKE Transform Type 2 Identifiers for ARIA-XCBC, ARIA-CMAC and ARIA-GMAC, as recorded in Section 7. 5.4. Transform Type 3 For IKEv2 negotiations, IANA is requested to assign IKE Transform Type 3 Identifiers for ARIA-XCBC and ARIA-CMAC, as recorded in Section 7. For the usage of ARIA-GMAC within AH, each key size requires its own IANA value because IKE does not have to negotiate the key size. For the usage of ARIA-GMAC within ESP, there is only one IANA value, because IKE negotiations specify the key size. 5.5. Key Length Attribute ARIA modes of operation can be used with any of the three ARIA key sizes. The way that the key size is indicated is different for Transform Type 1 and the others. For Transform Type 1, there is a single encryption identifier. The IKE Key Length attribute MUST be used with each use of this identifier to indicate the key size. The Key Length attribute MUST have a value of 128-, 192-, or 256-bit, and is used in the same way as AES modes of operation. For Transforms Type 2 and Type 3, the IKE Key Length attribute MUST NOT be used. Like ARIA-GMAC, each key size has its own separate Kim, et al. Expires March 18, 2012 [Page 6] Internet-Draft ARIA Cipher with IPsec September 2011 integrity transform identifier and algorithm name. 6. Security Considerations At the time of writing this document no security problem has been found on ARIA (see [TSL]). The security considerations in [RFC3566], [RFC3602], [RFC3686], [RFC4106], [RFC4309], [RFC4434], [RFC4494], [RFC4543], [RFC4615] and [RFC5282] apply to this document as well. Within IKE and IPsec, ARIA modes of operation do not create additional security considerations beyond those of AES modes of operation. 7. IANA Considerations IANA is requested to allocate Transform Type 1 (Encryption Algorithm Transform IDs) Identifiers for ARIA-CBC, ARIA-CTR, ARIA-CCM, and ARIA-GCM with an explicit IV in the "IKEv2 Parameters" registry: Number Name ENCR_ARIA_CBC; ENCR_ARIA_CTR; ENCR_ARIA_CCM_8; ENCR_ARIA_CCM_12; ENCR_ARIA_CCM_16; ENCR_ARIA_GCM_8; ENCR_ARIA_GCM_12; ENCR_ARIA_GCM_16; ENCR_NULL_AUTH_ARIA_GMAC; IANA is also requested to allocate Transform Type 2 (Pseudo-random Function Transform IDs) Identifiers for ARIA-XCBC and ARIA-CMAC with an explicit IV in the "IKEv2 Parameters" registry: Number Name PRF_ARIA_128_XCBC; PRF_ARIA_128_CMAC; Kim, et al. Expires March 18, 2012 [Page 7] Internet-Draft ARIA Cipher with IPsec September 2011 IANA is also requested to allocate Transform Type 3 (Integrity Algorithm Transform IDs) Identifiers for ARIA-XCBC, ARIA-CMAC, and ARIA-GMAC with an explicit IV in the "IKEv2 Parameters" registry: Number Name AUTH_ARIA_128_XCBC_96; AUTH_ARIA_128_CMAC_96; AUTH_ARIA_128_GMAC; AUTH_ARIA_192_GMAC; AUTH_ARIA_256_GMAC; 8. References 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3566] Frankel, S. and H. Herbert, "The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec", RFC 3566, September 2003. [RFC3602] Frankel, S., Glenn, R., and S. Kelly, "The AES-CBC Cipher Algorithm and Its Use with IPsec", RFC 3602, September 2003. [RFC3686] Housley, R., "Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP)", RFC 3686, January 2004. [RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)", RFC 4106, June 2005. [RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, December 2005. [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, December 2005. [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303, December 2005. [RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP)", RFC 4309, December 2005. Kim, et al. Expires March 18, 2012 [Page 8] Internet-Draft ARIA Cipher with IPsec September 2011 [RFC4434] Hoffman, P., "The AES-XCBC-PRF-128 Algorithm for the Internet Key Exchange Protocol (IKE)", RFC 4434, February 2006. [RFC4494] Song, JH., Poovendran, R., and J. Lee, "The AES-CMAC-96 Algorithm and Its Use with IPsec", RFC 4494, June 2006. [RFC4543] McGrew, D. and J. Viega, "The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH", RFC 4543, May 2006. [RFC4615] Song, J., Poovendran, R., Lee, J., and T. Iwata, "The Advanced Encryption Standard-Cipher-based Message Authentication Code-Pseudo-Random Function-128 (AES-CMAC- PRF-128) Algorithm for the Internet Key Exchange Protocol (IKE)", RFC 4615, August 2006. [RFC5282] Black, D. and D. McGrew, "Using Authenticated Encryption Algorithms with the Encrypted Payload of the Internet Key Exchange version 2 (IKEv2) Protocol", RFC 5282, August 2008. [RFC5794] Lee, J., Lee, J., Kim, J., Kwon, D., and C. Kim, "A Description of the ARIA Encryption Algorithm", RFC 5794, March 2010. [RFC5930] Shen, S., Mao, Y., and NSS. Murthy, "Using Advanced Encryption Standard Counter Mode (AES-CTR) with the Internet Key Exchange version 02 (IKEv2) Protocol", RFC 5930, July 2010. [RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen, "Internet Key Exchange Protocol Version 2 (IKEv2)", RFC 5996, September 2010. 8.2. Informative References [ARIAKS] Korean Agency for Technology and Standards, "128 bit block encryption algorithm ARIA - Part 1: General (in Korean)", KS X 1213-1:2009, December 2009. [ARIAPKCS] RSA Laboratories, "Additional PKCS #11 Mechanisms", PKCS #11 v2.20 Amendment 3 Revision 1, January 2007. [TSL] Tang, X., Sun, B., Li, R., Li, C., and J. Yin, "A meet- in-the-middle attack on reduced-round ARIA", The Journal of Systems and Software Vol.84(10), pp. 1685-1692, October 2011. Kim, et al. Expires March 18, 2012 [Page 9] Internet-Draft ARIA Cipher with IPsec September 2011 Authors' Addresses Woo-Hwan Kim National Security Research Institute P.O.Box 1, Yuseong Daejeon 305-350 Korea EMail: whkim5@ensec.re.kr Jungkeun Lee National Security Research Institute P.O.Box 1, Yuseong Daejeon 305-350 Korea EMail: jklee@ensec.re.kr Je-Hong Park National Security Research Institute P.O.Box 1, Yuseong Daejeon 305-350 Korea EMail: jhpark@ensec.re.kr Daesung Kwon National Security Research Institute P.O.Box 1, Yuseong Daejeon 305-350 Korea EMail: ds_kwon@ensec.re.kr Kim, et al. Expires March 18, 2012 [Page 10]