| rfc9044xml2.original.xml | rfc9044.xml | |||
|---|---|---|---|---|
| <?xml version="1.0" encoding="UTF-8"?> | <?xml version="1.0" encoding="UTF-8"?> | |||
| <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> | ||||
| <!-- generated by https://github.com/cabo/kramdown-rfc2629 version 1.3.35 --> | ||||
| <!DOCTYPE rfc SYSTEM "rfc2629.dtd" [ | <!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent"> | |||
| <!ENTITY RFC2119 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere | ||||
| nce.RFC.2119.xml"> | ||||
| <!ENTITY RFC8174 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere | ||||
| nce.RFC.8174.xml"> | ||||
| <!ENTITY RFC5912 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere | ||||
| nce.RFC.5912.xml"> | ||||
| <!ENTITY RFC5652 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere | ||||
| nce.RFC.5652.xml"> | ||||
| <!ENTITY RFC7696 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere | ||||
| nce.RFC.7696.xml"> | ||||
| <!ENTITY RFC5084 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere | ||||
| nce.RFC.5084.xml"> | ||||
| <!ENTITY RFC4086 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere | ||||
| nce.RFC.4086.xml"> | ||||
| ]> | ||||
| <?rfc toc="yes"?> | ||||
| <?rfc sortrefs="yes"?> | ||||
| <?rfc symrefs="yes"?> | ||||
| <rfc ipr="trust200902" docName="draft-ietf-lamps-cms-aes-gmac-alg-05" category=" | <rfc | |||
| std" consensus="true"> | xmlns:xi="http://www.w3.org/2001/XInclude" | |||
| number="9044" | ||||
| updates="" | ||||
| obsoletes="" | ||||
| category="std" | ||||
| consensus="true" | ||||
| submissionType="IETF" | ||||
| ipr="trust200902" | ||||
| sortRefs="true" | ||||
| symRefs="true" | ||||
| tocInclude="true" | ||||
| docName="draft-ietf-lamps-cms-aes-gmac-alg-05" | ||||
| xml:lang="en" | ||||
| version="3"> | ||||
| <front> | <front> | |||
| <title abbrev="Using AES-GMAC with the CMS">Using the AES-GMAC Algorithm wit h the Cryptographic Message Syntax (CMS)</title> | <title abbrev="Using AES-GMAC with the CMS">Using the AES-GMAC Algorithm wit h the Cryptographic Message Syntax (CMS)</title> | |||
| <seriesInfo name="RFC" value="9044"/> | ||||
| <author initials="R." surname="Housley" fullname="Russ Housley"> | <author initials="R." surname="Housley" fullname="Russ Housley"> | |||
| <organization abbrev="Vigil Security">Vigil Security, LLC</organization> | <organization abbrev="Vigil Security">Vigil Security, LLC</organization> | |||
| <address> | <address> | |||
| <postal> | <postal> | |||
| <street>516 Dranesville Road</street> | <street>516 Dranesville Road</street> | |||
| <city>Herndon, VA</city> | <city>Herndon</city> | |||
| <region>VA</region> | ||||
| <code>20170</code> | <code>20170</code> | |||
| <country>US</country> | <country>United States of America</country> | |||
| </postal> | </postal> | |||
| <email>housley@vigilsec.com</email> | <email>housley@vigilsec.com</email> | |||
| </address> | </address> | |||
| </author> | </author> | |||
| <date year="2021" month="April" day="02"/> | <date year="2021" month="June"/> | |||
| <area>Security</area> | <area>Security</area> | |||
| <keyword>Internet-Draft</keyword> | <keyword>Authentication</keyword> | |||
| <keyword>Message Authentication Code</keyword> | ||||
| <abstract> | <abstract> | |||
| <t>This document specifies the conventions for using the AES-GMAC Message | <t>This document specifies the conventions for using the AES-GMAC Message | |||
| Authentication Code algorithms with the Cryptographic Message Syntax | Authentication Code algorithm with the Cryptographic Message Syntax | |||
| (CMS) as specified in RFC 5652.</t> | (CMS) as specified in RFC 5652.</t> | |||
| </abstract> | </abstract> | |||
| </front> | </front> | |||
| <middle> | <middle> | |||
| <section anchor="intro" title="Introduction"> | <section anchor="intro" title="Introduction"> | |||
| <t>This document specifies the conventions for using the AES-GMAC | <t>This document specifies the conventions for using the AES-GMAC | |||
| <xref target="AES"/><xref target="GCM"/> Message Authentication Code (MAC) algor ithm with the | <xref target="AES"/> <xref target="GCM"/> Message Authentication Code (MAC) algo rithm with the | |||
| Cryptographic Message Syntax (CMS) <xref target="RFC5652"/>.</t> | Cryptographic Message Syntax (CMS) <xref target="RFC5652"/>.</t> | |||
| </section> | </section> | |||
| <section anchor="terms" title="Terminology"> | <section anchor="terms" title="Terminology"> | |||
| <t> | ||||
| <t>The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, | The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQU | |||
| “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “NOT RECOMMENDED”, “MAY”, and | IRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL | |||
| “OPTIONAL” in this document are to be interpreted as described in | NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14> | |||
| BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, th | RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", | |||
| ey appear in | "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to | |||
| all capitals, as shown here.</t> | be interpreted as | |||
| described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> | ||||
| when, and only when, they appear in all capitals, as shown here. | ||||
| </t> | ||||
| </section> | </section> | |||
| <section anchor="message-authentication-code-algorithms" title="Message Authenti cation Code Algorithms"> | <section anchor="message-authentication-code-algorithms" title="Message Authenti cation Code Algorithms"> | |||
| <t>This section specifies the conventions employed by CMS <xref target="RFC5652" /> | <t>This section specifies the conventions employed by CMS <xref target="RFC5652" /> | |||
| implementations that support the AES-GMAC <xref target="AES"/><xref target="GCM" /> Message | implementations that support the AES-GMAC <xref target="AES"/> <xref target="GCM "/> Message | |||
| Authentication Code (MAC) algorithm.</t> | Authentication Code (MAC) algorithm.</t> | |||
| <t>MAC algorithm identifiers are located in the AuthenticatedData | <t>MAC algorithm identifiers are located in the AuthenticatedData | |||
| macAlgorithm field.</t> | macAlgorithm field.</t> | |||
| <t>MAC values are located in the AuthenticatedData mac field.</t> | <t>MAC values are located in the AuthenticatedData mac field.</t> | |||
| <section anchor="aes-gmac" title="AES-GMAC"> | <section anchor="aes-gmac" title="AES-GMAC"> | |||
| <t>The AES-GMAC <xref target="AES"/><xref target="GCM"/> Message Authentication Code (MAC) algorithm | <t>The AES-GMAC <xref target="AES"/> <xref target="GCM"/> Message Authentication Code (MAC) algorithm | |||
| uses one of the following algorithm identifiers in the AuthenticatedData | uses one of the following algorithm identifiers in the AuthenticatedData | |||
| macAlgorithm field; the choice depends on the size of the AES key, which | macAlgorithm field; the choice depends on the size of the AES key, which | |||
| is either 128 bits, 192 bits, or 256 bits:</t> | is either 128 bits, 192 bits, or 256 bits:</t> | |||
| <figure><artwork><![CDATA[ | <sourcecode type="asn.1"><![CDATA[ | |||
| aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) | aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) | |||
| organization(1) gov(101) csor(3) nistAlgorithm(4) 1 } | organization(1) gov(101) csor(3) nistAlgorithm(4) 1 } | |||
| id-aes128-GMAC OBJECT IDENTIFIER ::= { aes 9 } | id-aes128-GMAC OBJECT IDENTIFIER ::= { aes 9 } | |||
| id-aes192-GMAC OBJECT IDENTIFIER ::= { aes 29 } | id-aes192-GMAC OBJECT IDENTIFIER ::= { aes 29 } | |||
| id-aes256-GMAC OBJECT IDENTIFIER ::= { aes 49 } | id-aes256-GMAC OBJECT IDENTIFIER ::= { aes 49 } | |||
| ]]></artwork></figure> | ]]></sourcecode> | |||
| <t>For all three of these algorithm identifier values, the | <t>For all three of these algorithm identifier values, the | |||
| AlgorithmIdentifier parameters field MUST be present, and the parameters | AlgorithmIdentifier parameters field <bcp14>MUST</bcp14> be present, and the par | |||
| MUST contain GMACParameters:</t> | ameters | |||
| <bcp14>MUST</bcp14> contain GMACParameters:</t> | ||||
| <figure><artwork><![CDATA[ | <sourcecode type="asn.1"><![CDATA[ | |||
| GMACParameters ::= SEQUENCE { | GMACParameters ::= SEQUENCE { | |||
| nonce OCTET STRING, -- recommended size is 12 octets | nonce OCTET STRING, -- recommended size is 12 octets | |||
| length MACLength DEFAULT 12 } | length MACLength DEFAULT 12 } | |||
| MACLength ::= INTEGER (12 | 13 | 14 | 15 | 16) | MACLength ::= INTEGER (12 | 13 | 14 | 15 | 16) | |||
| ]]></artwork></figure> | ]]></sourcecode> | |||
| <t>The GMACParameters nonce field is the GMAC initialization | <t>The GMACParameters nonce field is the GMAC initialization | |||
| vector. The nonce may have any number of bits between 8 and (2^64)-1, | vector. The nonce may have any number of bits between 8 and (2^64)-1, | |||
| but it MUST be a multiple of 8 bits. Within the scope of any | but it <bcp14>MUST</bcp14> be a multiple of 8 bits. Within the scope of any | |||
| content-authentication key, the nonce value MUST be unique. A | content-authentication key, the nonce value <bcp14>MUST</bcp14> be unique. A | |||
| nonce value of 12 octets can be processed more efficiently, | nonce value of 12 octets can be processed more efficiently, | |||
| so that length for the nonce value is RECOMMENDED.</t> | so that length for the nonce value is <bcp14>RECOMMENDED</bcp14>.</t> | |||
| <t>The GMACParameters length field tells the size of the message | <t>The GMACParameters length field tells the size of the message | |||
| authentication code. It MUST match the size in octets of the value | authentication code. It <bcp14>MUST</bcp14> match the size in octets of the val ue | |||
| in the AuthenticatedData mac field. A length of 12 octets is | in the AuthenticatedData mac field. A length of 12 octets is | |||
| RECOMMENDED.</t> | <bcp14>RECOMMENDED</bcp14>.</t> | |||
| </section> | </section> | |||
| </section> | </section> | |||
| <section anchor="implementation-considerations" title="Implementation Considerat ions"> | <section anchor="implementation-considerations" title="Implementation Considerat ions"> | |||
| <t>An implementation of the Advanced Encryption Standard (AES) | <t>An implementation of the Advanced Encryption Standard (AES) | |||
| Galois/Counter Mode (GCM) authenticated encryption algorithm is specified | Galois/Counter Mode (GCM) authenticated encryption algorithm is specified | |||
| in <xref target="GCM"/>. An implementation of AES-GCM can be used to compute th e GMAC | in <xref target="GCM"/>. An implementation of AES-GCM can be used to compute th e GMAC | |||
| message authentication code by providing the content-authentication key | message authentication code by providing the content-authentication key | |||
| as the AES key, the nonce as the initialization vector, a zero-length | as the AES key, the nonce as the initialization vector, a zero-length | |||
| plaintext content, and the content to be authenticated as the additional | plaintext content, and the content to be authenticated as the additional | |||
| authenticated data (AAD). The result of the AES-GCM invocation is the | authenticated data (AAD). The result of the AES-GCM invocation is the | |||
| AES-GMAC authentication code, which is called the authentication tag in | AES-GMAC authentication code, which is called the "authentication tag" in | |||
| some implementations. In AES-GCM, the encryption step is skipped when no | some implementations. In AES-GCM, the encryption step is skipped when no | |||
| input plaintext is provided, and therefore, no ciphertext is produced.</t> | input plaintext is provided; therefore, no ciphertext is produced.</t> | |||
| <t>The DEFAULT and RECOMMENDED values in GMACParameters were selected | <t>The DEFAULT and <bcp14>RECOMMENDED</bcp14> values in GMACParameters were sele | |||
| to align with the parameters defined for AES-GCM in Section 3.2 of <xref target= | cted | |||
| "RFC5084"/>.</t> | to align with the parameters defined for AES-GCM in <xref target="RFC5084" secti | |||
| onFormat="of" section="3.2"/>.</t> | ||||
| </section> | </section> | |||
| <section anchor="asn1-module" title="ASN.1 Module"> | <section anchor="asn1-module" title="ASN.1 Module"> | |||
| <t>The following ASN.1 module uses the definition for MAC-ALGORITHM | <t>The following ASN.1 module uses the definition for MAC-ALGORITHM | |||
| from <xref target="RFC5912"/>.</t> | from <xref target="RFC5912"/>.</t> | |||
| <figure><artwork><![CDATA[ | <sourcecode type="asn.1"> <![CDATA[ | |||
| CryptographicMessageSyntaxGMACAlgorithms | CryptographicMessageSyntaxGMACAlgorithms | |||
| { iso(1) member-body(2) us(840) rsadsi(113549) | { iso(1) member-body(2) us(840) rsadsi(113549) | |||
| pkcs(1) pkcs-9(9) smime(16) modules(0) | pkcs(1) pkcs-9(9) smime(16) modules(0) | |||
| id-mod-aes-gmac-alg-2020(TBD) } | id-mod-aes-gmac-alg-2020(72) } | |||
| DEFINITIONS IMPLICIT TAGS ::= | DEFINITIONS IMPLICIT TAGS ::= | |||
| BEGIN | BEGIN | |||
| -- EXPORTS All | -- EXPORTS All | |||
| IMPORTS | IMPORTS | |||
| AlgorithmIdentifier{}, MAC-ALGORITHM | AlgorithmIdentifier{}, MAC-ALGORITHM | |||
| FROM AlgorithmInformation-2009 -- from [RFC5912] | FROM AlgorithmInformation-2009 -- from [RFC5912] | |||
| { iso(1) identified-organization(3) dod(6) internet(1) | { iso(1) identified-organization(3) dod(6) internet(1) | |||
| skipping to change at line 203 ¶ | skipping to change at line 204 ¶ | |||
| IDENTIFIER id-aes192-GMAC | IDENTIFIER id-aes192-GMAC | |||
| PARAMS TYPE GMACParameters ARE required | PARAMS TYPE GMACParameters ARE required | |||
| IS-KEYED-MAC TRUE } | IS-KEYED-MAC TRUE } | |||
| maca-aes256-GMAC MAC-ALGORITHM ::= { | maca-aes256-GMAC MAC-ALGORITHM ::= { | |||
| IDENTIFIER id-aes256-GMAC | IDENTIFIER id-aes256-GMAC | |||
| PARAMS TYPE GMACParameters ARE required | PARAMS TYPE GMACParameters ARE required | |||
| IS-KEYED-MAC TRUE } | IS-KEYED-MAC TRUE } | |||
| END -- of CryptographicMessageSyntaxGMACAlgorithms | END -- of CryptographicMessageSyntaxGMACAlgorithms | |||
| ]]></artwork></figure> | ]]></sourcecode> | |||
| </section> | </section> | |||
| <section anchor="iana-considerations" title="IANA Considerations"> | <section anchor="iana-considerations" title="IANA Considerations"> | |||
| <t>IANA is asked to register object identifiers for one module identifier in | <t> | |||
| the “SMI Security for S/MIME Module Identifier (1.2.840.113549.1.9.16.0)” | IANA has registered the object identifier shown in <xref target="IANA1"/> in | |||
| registry for id-mod-aes-gmac-alg-2020.</t> | the "SMI Security for S/MIME | |||
| Module Identifier (1.2.840.113549.1.9.16.0)" registry.</t> | ||||
| <table anchor="IANA1"> | ||||
| <thead> | ||||
| <tr> | ||||
| <th>Decimal</th> | ||||
| <th>Description</th> | ||||
| <th>References</th> | ||||
| </tr> | ||||
| </thead> | ||||
| <tbody> | ||||
| <tr> | ||||
| <td>72</td> | ||||
| <td>id-mod-aes-gmac-alg-2020</td> | ||||
| <td>RFC 9044</td> | ||||
| </tr> | ||||
| </tbody> | ||||
| </table> | ||||
| </section> | </section> | |||
| <section anchor="security-considerations" title="Security Considerations"> | <section anchor="security-considerations" title="Security Considerations"> | |||
| <t>The CMS provides a method for authenticating data. This document | <t>The CMS provides a method for authenticating data. This document | |||
| identifies the conventions for using the AES-GMAC algorithm with the CMS.</t> | identifies the conventions for using the AES-GMAC algorithm with the CMS.</t> | |||
| <t>The key management technique employed to distribute message-authentication | <t>The key management technique employed to distribute message-authentication | |||
| keys must itself provide authentication, otherwise the content is delivered | keys must itself provide authentication; otherwise, the content is delivered | |||
| with integrity from an unknown source.</t> | with integrity from an unknown source.</t> | |||
| <t>When more than two parties share the same message-authentication key, data | <t>When more than two parties share the same message-authentication key, data | |||
| origin authentication is not provided. Any party that knows the | origin authentication is not provided. Any party that knows the | |||
| message-authentication key can compute a valid MAC, therefore the content | message-authentication key can compute a valid MAC; therefore, the content | |||
| could originate from any one of the parties.</t> | could originate from any one of the parties.</t> | |||
| <t>Within the scope of any content-authentication key, the AES-GMAC nonce value | <t>Within the scope of any content-authentication key, the AES-GMAC nonce value | |||
| MUST be unique. Use of a nonce value more than once allows an attacker to | <bcp14>MUST</bcp14> be unique. Use of a nonce value more than once allows an at tacker to | |||
| generate valid AES-GMAC authentication codes for arbitrary messages, resulting | generate valid AES-GMAC authentication codes for arbitrary messages, resulting | |||
| in the loss of authentication as described in Appendix A of <xref target="GCM"/> .</t> | in the loss of authentication as described in Appendix A of <xref target="GCM"/> .</t> | |||
| <t>Within the scope of any content-authentication key, the authentication tag | <t>Within the scope of any content-authentication key, the authentication tag | |||
| length (MACLength) MUST be fixed.</t> | length (MACLength) <bcp14>MUST</bcp14> be fixed.</t> | |||
| <t>If AES-GMAC is used as a building block in another algorithm (e.g., as | <t>If AES-GMAC is used as a building block in another algorithm (e.g., as | |||
| a pseudo-random function), AES-GMAC MUST be used only one time by that | a pseudorandom function), AES-GMAC <bcp14>MUST</bcp14> be used only one time by | |||
| algorithm. For instance, AES-GMAC MUST NOT be used as the pseudo-random | that | |||
| algorithm. For instance, AES-GMAC <bcp14>MUST NOT</bcp14> be used as the pseudo | ||||
| random | ||||
| function for PBKDF2.</t> | function for PBKDF2.</t> | |||
| <t>When IV lengths other than 96 bits are used, the GHASH function is used to | <t>When initialization vector (IV) lengths other than 96 bits are used, the GHAS | |||
| process the provided IV, which introduces a potential of IV collisions. | H function is used to | |||
| process the provided IV, which introduces a potential for IV collisions. | ||||
| However, IV collisions are not a concern with CMS AuthenticatedData because | However, IV collisions are not a concern with CMS AuthenticatedData because | |||
| a fresh content-authentication key is usually generated for each message.</t> | a fresh content-authentication key is usually generated for each message.</t> | |||
| <t>The probability of a successful forgery is close to 2^(−t), where t is the | <t>The probability of a successful forgery is close to 2^(-t), where t is the | |||
| number of bits in the authentication tag length (MACLength*8). This nearly | number of bits in the authentication tag length (MACLength*8). This nearly | |||
| ideal authentication protection is achieved for CMS AuthenticatedData when a | ideal authentication protection is achieved for CMS AuthenticatedData when a | |||
| fresh content-authentication key is generated for each message. However, the | fresh content-authentication key is generated for each message. However, the | |||
| strength of GMAC degrades slightly as a function of the length of the message | strength of GMAC degrades slightly as a function of the length of the message | |||
| being authenticated <xref target="F2005"/><xref target="MV2005"/>. Implementati ons SHOULD use 16-octet | being authenticated <xref target="F2005"/> <xref target="MV2005"/>. Implementat ions <bcp14>SHOULD</bcp14> use 16-octet | |||
| authentication tags for messages over 2^64 octets.</t> | authentication tags for messages over 2^64 octets.</t> | |||
| <t>Implementations must randomly generate message-authentication keys. The use | <t>Implementations must randomly generate message-authentication keys. The use | |||
| of inadequate pseudo-random number generators (PRNGs) to generate keys can | of inadequate pseudorandom number generators (PRNGs) to generate keys can | |||
| result in little or no security. An attacker may find it much easier to | result in little or no security. An attacker may find it much easier to | |||
| reproduce the PRNG environment that produced the keys, searching the resulting | reproduce the PRNG environment that produced the keys, searching the resulting | |||
| small set of possibilities, rather than brute force searching the whole key | small set of possibilities, rather than brute-force searching the whole key | |||
| space. The generation of quality random numbers is difficult. <xref target="RF C4086"/> | space. The generation of quality random numbers is difficult. <xref target="RF C4086"/> | |||
| offers important guidance in this area.</t> | offers important guidance in this area.</t> | |||
| <t>Implementers should be aware that cryptographic algorithms become weaker | <t>Implementers should be aware that cryptographic algorithms become weaker | |||
| with time. As new cryptanalysis techniques are developed and computing | with time. As new cryptanalysis techniques are developed and computing | |||
| performance improves, the work factor to break a particular cryptographic | performance improves, the work factor to break a particular cryptographic | |||
| algorithm will reduce. Therefore, cryptographic algorithm implementations | algorithm will reduce. Therefore, cryptographic algorithm implementations | |||
| should be modular allowing new algorithms to be readily inserted. That is, | should be modular, allowing new algorithms to be readily inserted. That is, | |||
| implementers should be prepared to regularly update the set of algorithms | implementers should be prepared to regularly update the set of algorithms | |||
| in their implementations. More information is available in BCP 201 <xref target ="RFC7696"/>.</t> | in their implementations. More information is available in BCP 201 <xref target ="RFC7696"/>.</t> | |||
| </section> | </section> | |||
| <section anchor="acknowledgements" title="Acknowledgements"> | ||||
| <t>Many thanks to | ||||
| Hans Aschauer, | ||||
| Hendrik Brockhaus, | ||||
| Quynh Dang, | ||||
| Roman Danyliw, | ||||
| Tim Hollebeek, | ||||
| Ben Kaduk, | ||||
| Mike Ounsworth, and | ||||
| Magnus Westerlund | ||||
| for their careful review and thoughtful improvements.</t> | ||||
| </section> | ||||
| </middle> | </middle> | |||
| <back> | <back> | |||
| <references> | ||||
| <name>References</name> | ||||
| <references> | ||||
| <name>Normative References</name> | ||||
| <xi:include | ||||
| href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> | ||||
| <xi:include | ||||
| href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5652.xml"/> | ||||
| <xi:include | ||||
| href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5912.xml"/> | ||||
| <xi:include | ||||
| href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> | ||||
| <references title='Normative References'> | <reference anchor="AES"> | |||
| &RFC2119; | ||||
| &RFC8174; | ||||
| &RFC5912; | ||||
| &RFC5652; | ||||
| <reference anchor="AES" > | ||||
| <front> | <front> | |||
| <title>Advanced Encryption Standard (AES)</title> | <title>Advanced Encryption Standard (AES)</title> | |||
| <author > | <author > | |||
| <organization>National Institute of Standards and Technology (NIST)</organ ization> | <organization>National Institute of Standards and Technology</organization > | |||
| </author> | </author> | |||
| <date year="2001" month="November"/> | <date year="2001" month="November"/> | |||
| </front> | </front> | |||
| <seriesInfo name="FIPS Publication" value="197"/> | <seriesInfo name="FIPS PUB" value="197"/> | |||
| <seriesInfo name="DOI" value="10.6028/NIST.FIPS.197"/> | ||||
| </reference> | </reference> | |||
| <reference anchor="GCM" > | <reference anchor="GCM" > | |||
| <front> | <front> | |||
| <title>Recommendation for Block Cipher Modes of Operation: Galois/Counter Mo de (GCM) and GMAC</title> | <title>Recommendation for Block Cipher Modes of Operation: Galois/Counter Mo de (GCM) and GMAC</title> | |||
| <author initials="M." surname="Dworkin" fullname="M. Dworkin"> | <author initials="M." surname="Dworkin" fullname="M. Dworkin"> | |||
| <organization>National Institute of Standards and Technology (NIST)</organ ization> | ||||
| </author> | </author> | |||
| <date year="2007" month="November"/> | <date year="2007" month="November"/> | |||
| </front> | </front> | |||
| <seriesInfo name="NIST Special Publication" value="800-38D"/> | <seriesInfo name="NIST Special Publication" value="800-38D"/> | |||
| <seriesInfo name="DOI" value="10.6028/NIST.SP.800-38D"/> | ||||
| </reference> | </reference> | |||
| </references> | ||||
| <references> | ||||
| <name>Informative References</name> | ||||
| </references> | <xi:include | |||
| href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4086.xml"/> | ||||
| <references title='Informative References'> | <xi:include | |||
| href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5084.xml"/> | ||||
| <xi:include | ||||
| href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7696.xml"/> | ||||
| &RFC7696; | <reference anchor="F2005" target="https://csrc.nist.gov/csrc/media/projects/bloc | |||
| &RFC5084; | k-cipher-techniques/documents/bcm/comments/cwc-gcm/ferguson2.pdf"> | |||
| &RFC4086; | ||||
| <reference anchor="F2005" > | ||||
| <front> | <front> | |||
| <title>Authentication weaknesses in GCM</title> | <title>Authentication weaknesses in GCM</title> | |||
| <author initials="N." surname="Ferguson" fullname="Niels Ferguson"> | <author initials="N." surname="Ferguson" fullname="Niels Ferguson"> | |||
| <organization></organization> | <organization></organization> | |||
| </author> | </author> | |||
| <date year="2005" month="May" day="20"/> | <date year="2005" month="May"/> | |||
| </front> | </front> | |||
| <format type="PDF" target="https://csrc.nist.gov/csrc/media/projects/block-cip | </reference> | |||
| her-techniques/documents/bcm/comments/cwc-gcm/ferguson2.pdf"/> | ||||
| <annotation>Comments to the NIST Modes of Operation process.</annotation></refer | <reference anchor="MV2005" target="https://csrc.nist.gov/CSRC/media/Projects/Blo | |||
| ence> | ck-Cipher-Techniques/documents/BCM/Comments/CWC-GCM/gcm-update.pdf"> | |||
| <reference anchor="MV2005" > | ||||
| <front> | <front> | |||
| <title>GCM Update</title> | <title>GCM Update</title> | |||
| <author initials="D." surname="McGrew" fullname="David McGrew"> | <author initials="D." surname="McGrew" fullname="David McGrew"> | |||
| <organization></organization> | <organization></organization> | |||
| </author> | </author> | |||
| <author initials="J." surname="Viega" fullname="John Viega"> | <author initials="J." surname="Viega" fullname="John Viega"> | |||
| <organization></organization> | <organization></organization> | |||
| </author> | </author> | |||
| <date year="2005" month="May" day="31"/> | <date year="2005" month="May"/> | |||
| </front> | </front> | |||
| <format type="PDF" target="https://csrc.nist.gov/CSRC/media/Projects/Block-Cip | </reference> | |||
| her-Techniques/documents/BCM/Comments/CWC-GCM/gcm-update.pdf"/> | ||||
| <annotation>Comments to the NIST Modes of Operation process.</annotation></refer | ||||
| ence> | ||||
| </references> | </references> | |||
| </references> | ||||
| <section anchor="acknowledgements" numbered="false" title="Acknowledgements"> | ||||
| </back> | <t>Many thanks to | |||
| <contact fullname="Hans Aschauer"/>, | ||||
| <!-- ##markdown-source: | <contact fullname="Hendrik Brockhaus"/>, | |||
| H4sIAOkYZ2AAA61abXPiSJL+Xr+iwo64gA2EgbbdNhMXsRhjmxljewHP3MTG | <contact fullname="Quynh Dang"/>, | |||
| 7kYhFVCDkFiVZDfj83y+z/cT75fck1UlgTDd7Z6ZjmgjpHrJfDIr88kUnuex | <contact fullname="Roman Danyliw"/>, | |||
| VKWhbPNHraIZT+eSd3oj73rQ6fJOOIsTlc6X/Bl/zbNusl6l8SwRq7ny+UBq | <contact fullname="Tim Hollebeek"/>, | |||
| LWaSj9ZRKj7xSncwqjIxmSTyKV+wWGyzxGDEgtiPxBK7BomYpp6S6dQLxXKl | <contact fullname="Ben Kaduk"/>, | |||
| PX+pPSG1N1sK3xPhzGucsECkGNpqtJpe49hrtJiPGxBt3eY6DRhTq6TN0yTT | <contact fullname="Mike Ounsworth"/>, and | |||
| aavROMdzkUjR5iPpZxB/zRZy/RwnQZv3o1QmkUy9S9qW+XGkZaQzbWZLxnQq | <contact fullname="Magnus Westerlund"/> | |||
| ouBfIowj7BfFbKXa/O9p7Ne4jpM0kVONq/WSLv7BmMjSeZy0GfcYxz8VYZ1h | for their careful review and thoughtful improvements.</t> | |||
| nd/EmQ7l2tyzSg4zrUu342TW5j+qmQoLIWv89rZrHub4lZ+bRxoyyLTNT5qn | ||||
| HCpEUj+pMJR8GIvADPAxss1voGQQRzX+Y8fejQODX/Njw33PopTQexyZ73Ip | ||||
| VNjmcyvhX59oYy39uh8vGYviZClS9SShKB9edVvN5rm7PGt+PHaXJ+fNVn55 | ||||
| emIuYfm2Wd45WCd4EpEvA96LfPIiFUd8RICLJOAVjK5a9XNUeYHUnaDBIoT9 | ||||
| NBbLUsnjaTFXc3zysfTnURzGszWv3PVHY7tY7jmNptdsWghloiQ8cxrnWxxc | ||||
| 9R9G/CGbhMo3Gx20efP8I55edwclDQ6GEpAsJbY10k/jhF+Esb/gXbWay4QP | ||||
| ALQm2e5XMjFj2vwa7qT0UZcwd0N4BStXjdh0NA726G0d52BQ55dw3YWKDv5k | ||||
| QD5+ARAazkcr6StsUQbmrNHwPpxdMhpf9ouPp+enuQc0znK/OG6cmbtX2PKk | ||||
| 7A7QV0apW5o/S7GAP2vgpyJCfg8o5oTd1fmVTGaZjqMSVndKhrr8qFD2BFHE | ||||
| a1nnt3LnSz5cXsHx03Sl20dHvk78eqR0Wp/FT+bb0VIGShytkvgX6af6aELW | ||||
| 9nxjbS8lhNW/M6mPEM8y+AWN8JdH1knwxX/2vRluTJ1UrfoqmFrFIrhG143j | ||||
| aWwio8H9rQ9xbO8DmjpmDn58AySw4o8r0nUPZJ77dOBd1vnAv07kc3Hbgncp | ||||
| nlRQfrQz8/s6ApKciZ2J38fzyD7geyD/0Pw2yLujYddB/pBDbg6YZw+YN94H | ||||
| +UV3cJRDedT9qesBkSPA7mUGlT+IOfM8DzEZoVf4KWPjudI835trOiRTnB+z | ||||
| FvLJE7k00oqJDdnblOoyJtvx/i5FBZGnW/2+fMtMvuVCF2IEdHZw6jjFYCf6 | ||||
| UgVBiNx2iOSXxEHmmw1fDhV9ff2jCrGXF1y+vr68APTX10LCffpVML660bJQ | ||||
| kn2dVPCXF5dZXl+h1+FYJkvlotvLIeLqUhtVJEeu55TsNYLn42h8ULOf/O7e | ||||
| XA97f3vsD3uXdD266dzeFhd2BMOX+8db95yuNjO794NB7+7STsZdvnNr0PkZ | ||||
| H4i97OD+Ydy/v+vcHpBB0hLC4CbkexOJRxB8lcgUdoMR4YJ+oibGiOyi+/Af | ||||
| 0USvvmseW90p7QJfc015F9fPQNjsx+MoXLuvwHPNxWolRULriDDkvlipVITg | ||||
| LuQq8/g54jhLknD8krkK9qedk4ASmKef9xG5XIXxGhpM1kTztq3GFJ5JQkDY | ||||
| selcwN2y1QrMqnxG9rvU3iOz41JQiRbYuJgKaAZkTbQBHrFEpPaYmC03S8rg | ||||
| UqSCgXVuWC/mhYFb80mEiDrvWoRjkWLu4WFxVIx/fkXL9xwcllGWBEeliEUS | ||||
| TOMwjJ/paO7X/Bu0/c7adB4rX8IjV+A6tJW5q9WvxZaQnY5aDV6n/DmDd0gs | ||||
| An7TbJ3xiUrhbM3zlrtC5GidnJovbcZ+++03Cscg+fz+4vted8z7l727cf+q | ||||
| 3xvydvs/+Qv/JcbZ8JSOPZAbL620qjlnrTRPqwhDlbPjRrVIRZYWiUj9akCr | ||||
| NKsc2aTSbODCB3OvfKhyyjGFrpXjKm9yRAzKbgHVGxDbmuVzIpG455hCm21N | ||||
| O299fVrrvLQVoPj6nGOaQ0ixK6BHpzidg/s7+LXca2nnpCYIsELZ/ub5SiTI | ||||
| 2in5hLE2N6ERoQhRCJVQaqMJ2XczkpkxOOWpIGIGwR+KZxtrlu8bRUYItb27 | ||||
| bo+/5DwtBv3PDXbfHfdAMsfD/t11jSNPJTm3xskyngafarZ47Kcy1W6FUEYz | ||||
| 5Az7Dzve2u+XvavO4+2YhlugN49IkP7duHcNdCt4/t+8+YH+HNOfE/pzWrU4 | ||||
| 0+Hc0cIKbJFSNtoZw6lIpaDGzt3YE+JinNQ5rWCnLMWaz8UTrBSteZQtJ8Ae | ||||
| lqMDALTTZykjfmawrrT+eXpc9Zo1NslSrtLCIogiWZgqxEyaac9UnfOfYFF3 | ||||
| nLUfr8xDbEKlbAoDeqIcPswRTQu5jH8UW2SGSWHRDtt+jBUL3JE7Iusfhg3B | ||||
| NMsYEVBOp8pX2Cdc15iObSx3xiGesLsjwNvKlfW9YOfTDdqpDEP9JugsXSbY | ||||
| UZLKW2jRd+CBavrzzVyg5XRxqxiR2DuCN4DJpSphojQra3PYL+U2BO1I41Ra | ||||
| Jons2Yl4OfsVUfTrJfEXysdt0bncrLAVGraoIWnskg1ptk8kk5tQTTijZ2Rv | ||||
| UBWcyxWVmLn/M2cHvscOlPnhLKgmcqb4ec9kQpdzycZt3JPyQeP2oCFI8V9l | ||||
| EnvWNmwVCmJSn9J8q00Uczcc3yoD5rYQQaBsMc3KzwNyhkqnc1kFXOSvCJE4 | ||||
| kVsJ0GCloqfYqWRDBCsy/B54XL6koT6CurRi7gxMxYyom46XcsdIFAH6Ub63 | ||||
| BWzL8DqVK2PzhQIBDAwjpDaWimA/vsEJQ6yNZFBglUgcXMgXwd6m1toaiaJB | ||||
| Bu7U5rGWpm2dgpwfvUkRKOwRMLQMYTs4ISwBe86iTYWzlZMCOVUR5KYQssGX | ||||
| WmBGvQ/1FqFvSWXj7NiWAp3RXb1J5yKjKmdcokP22dI844Y10Y5mG1V0cCCu | ||||
| 17m9vh/2xzcDNk3ipdvivGmrDUoPpRLFcTVboJC6W1SZMtMLcIuJhSwlhX5v | ||||
| Egdr4jCOt/BEi0CrSrP54eT4vMpdclstfE2T6NM7r+CBXqqlNIzHqqArBekB | ||||
| lcC9cqe01Wg1KuOLyyplQdipf9enKmTE+4OH2363P+bjzvWIUiK76F3376g+ | ||||
| 5L3/ergfjkdg+yFjGEhfqHn3lj28vNZ2sOL8ang/2BqbN4XiyKNOLKV1g+ff | ||||
| HZz/cNIXABXcJfBKDA6ELYiDCjRXrmWL0QXf064nWjkhiP055umlpm+rhfpU | ||||
| +Vh18FS2OGIO2D5ZG63KyVn1lX9nELmfUOOBbxRHBP/zyOrvJKq/h6V+M0X9 | ||||
| Vn5KaJmRm+PO2FeZ4B+kge/igN9IAEmRTSFUsjwOlyhBXzoCDhGSawumsrHo | ||||
| 4UNn2EE9PP75obcbHzvDHpT+d6YSaXr4/ZH3Q+/n3qVHm42Hjz3Sp5AiN+Ye | ||||
| KfYL4Sb8mUIUDvJeIfIJf4YQyDbkJsgD7w7Jht4f9jt3nTfMzNyEhwm9sFwn | ||||
| kTOcP6LrNgpsl9GULKjqdvlkq+5CtqbEcjAa9IsXNmb46GjQH/RcdtpyLLhi | ||||
| vVVHXKjbJFBv1vH/tN6oHjArQmIX+Fycp14wZ4fFZruKje2LtjzPa6onZDqP | ||||
| bXLdJhxIk0R1DMnZ6lOxQr139zbfdvZIhPqmL7cUEWxkumBF73zTMwL6ASmu | ||||
| JkQ2HcfcoY30Kk+jMtJUK4FUTHMFdzhUjcfEaZ6VliUiSArKUD1JcjEjJeWX | ||||
| mbUXZSow3yxaRNQj03GW+NQl+4lolKl7UOeAnj3HRFpSQkbPTTuPag148WeE | ||||
| tuSWQGbAZwZGs/NcUamZFpzM0PO12WNtSysSyJLLz+9gWHtO1QXxMerod7q1 | ||||
| DbvbhgIVY4ZCywoEwpurv95uLDk1CYP9decX2H2t7Bxb5SB7U4A+artgqWjc | ||||
| IG5LAiJ19GqLizQV/gKHKI3ZTEbk9NLp+yXubf1WJKikE4Hj5aDUNcfs4c95 | ||||
| VRjG2pSLO6vsNGl5Z0X9MfUJdaLhpba4+v1gva0DmMt2lSKhVYvyfao+GVbe | ||||
| n27UhieZqk3QgZ9kKjRlmHlrRQKLyByLrZNakfVZnRrDTPCVllkQewmoPVxh | ||||
| mkWGdldrW28vcsPRHqbpTM6SgqVS3Ueuyja9WLBDCmARvVT35e4q1D/PV3Kl | ||||
| WGl/lu9vrPZw8cPlVSs/i/0fHQvQ9phbLzm3HUbToqVlLabXN53RTaFMARBc | ||||
| x/U07Nbu6GHpokRzr0tM7FzFZDh6HQpTYnsfJYbSpiJjN/GzRECple8bMehU | ||||
| CzK7Dw5royIF5bdNh4n0BeSCEaZwxvkXPMVqkOE0rHnu/DaoSwGpnVO7oAu1 | ||||
| JmKiQgpv5nzpzCedp1lIU2YyMev58HfzUqL1z8r//c//plXCgMq2NK9pd3pY | ||||
| zrn31K1v/PUvZ9U8tURSJOGaEgtw3JkLSVNZmAiaKGBq9dqPmKltBXsPXF+A | ||||
| ifPCeqQm/b4i7/cYVw2QGwSFDo2idZ4Cc3OyCndycXLTJdpuU02kacmXugov | ||||
| L+ZNOPX97atc043p77wbcW+e4BGgp57hvrtNL4BtA1oexngMNTi1Ex1ZptCw | ||||
| s65JnPZ8bbnPF9KWdr0P8k1oh0wRgKDRnHKwcP7hVoxBlioPw7trXSWvKvYx | ||||
| yRtpirlWCtwIrplSizOhxkNe19n+VBHmqZuKij2g9ugyg/Wk0MqG/0S69oQB | ||||
| nrbkMnpSSRxZlkHJM29gmCEkQg0biQQu5gjMJvzrJXXatTRdnhWSgDKHR5kk | ||||
| ITahZpJQkgX6vtxZ63keh2YXplfClw4+h4DzGABoTmQJO224iaLGKoTBPNOD | ||||
| oJ9PvL4C+qkZsaSXZQKKzTIVUFQtXi/SL562DU7D9dykeOp8PVuaAjT80rvW | ||||
| rVfOEyq8pPkdhkwsN6LATrago/tsZ4LBhWtNUaF4E28iXYBDFMbUdKLGkKUh | ||||
| hOhKJqbONrIuKcy69xP0knbBp4I6eqY/BwUWFGmJcgACkZRFZdvsEkYCgcty | ||||
| fPPe1Wd0222isQ0whsqLxJILsiEpugWKbRxCtEDhwCCXUV8sMLsKCo61zWvN | ||||
| MuIreCZwyWsK2gQL2B8kWGJgnWyzl+MeKtnT8xsQFVKbjoWJkU9ChWISGh+4 | ||||
| 6D7Q77us09AvcVxvzCfmGMrAsm7UBQPiIeTDC6McuxEICx3tz0WGIMhuwGcS | ||||
| teAXyI0L3IOCf8vWEcprEc1qbBjDknS9DtVzjY3VEvEzDOVEykWNXSAi/yCC | ||||
| DJcDtZD8Pos0rJzO7UvxgZhFmeY/Saqvwgx33KsCqOwDK0pKiXxSZAHTk4wz | ||||
| hFy66xzHqOB+1TBBaGD/Dz5Asp6+KAAA | ||||
| </section> | ||||
| </back> | ||||
| </rfc> | </rfc> | |||
| End of changes. 62 change blocks. | ||||
| 214 lines changed or deleted | 145 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||