1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
|
Network Working Group D. Black
Request for Comments: 5282 EMC
Updates: 4306 D. McGrew
Category: Standards Track August 2008
Using Authenticated Encryption Algorithms with the Encrypted Payload
of the Internet Key Exchange version 2 (IKEv2) Protocol
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Abstract
An authenticated encryption algorithm combines encryption and
integrity into a single operation; such algorithms may also be
referred to as combined modes of an encryption cipher or as combined
mode algorithms. This document describes the use of authenticated
encryption algorithms with the Encrypted Payload of the Internet Key
Exchange version 2 (IKEv2) protocol.
The use of two specific authenticated encryption algorithms with the
IKEv2 Encrypted Payload is also described; these two algorithms are
the Advanced Encryption Standard (AES) in Galois/Counter Mode (AES
GCM) and AES in Counter with CBC-MAC Mode (AES CCM). Additional
documents may describe the use of other authenticated encryption
algorithms with the IKEv2 Encrypted Payload.
Black & McGrew Standards Track [Page 1]
^L
RFC 5282 Authenticated Encryption and IKEv2 August 2008
Table of Contents
1. Introduction ....................................................3
1.1. Conventions Used in This Document ..........................3
2. Structure of this Document ......................................4
3. IKEv2 Encrypted Payload Data ....................................4
3.1. AES GCM and AES CCM Initialization Vector (IV) .............6
3.2. AES GCM and AES CCM Ciphertext (C) Construction ............6
4. AES GCM and AES CCM Nonce (N) Format ............................7
5. IKEv2 Associated Data (A) .......................................8
5.1. Associated Data (A) Construction ...........................8
5.2. Data Integrity Coverage ....................................8
6. AES GCM and AES CCM Encrypted Payload Expansion .................9
7. IKEv2 Conventions for AES GCM and AES CCM .......................9
7.1. Keying Material and Salt Values ............................9
7.2. IKEv2 Identifiers .........................................10
7.3. Key Length ................................................10
8. IKEv2 Algorithm Selection ......................................11
9. Test Vectors ...................................................11
10. RFC 5116 AEAD_* Algorithms ....................................11
10.1. AES GCM Algorithms with 8- and 12-octet ICVs .............12
10.1.1. AEAD_AES_128_GCM_8 ................................12
10.1.2. AEAD_AES_256_GCM_8 ................................12
10.1.3. AEAD_AES_128_GCM_12 ...............................12
10.1.4. AEAD_AES_256_GCM_12 ...............................12
10.2. AES CCM Algorithms with an 11-octet Nonce ................13
10.2.1. AEAD_AES_128_CCM_SHORT ............................13
10.2.2. AEAD_AES_256_CCM_SHORT ............................14
10.2.3. AEAD_AES_128_CCM_SHORT_8 ..........................14
10.2.4. AEAD_AES_256_CCM_SHORT_8 ..........................14
10.2.5. AEAD_AES_128_CCM_SHORT_12 .........................14
10.2.6. AEAD_AES_256_CCM_SHORT_12 .........................14
10.3. AEAD_* Algorithms and IKEv2 ..............................15
11. Security Considerations .......................................15
12. IANA Considerations ...........................................16
13. Acknowledgments ...............................................16
14. References ....................................................17
14.1. Normative References .....................................17
14.2. Informative References ...................................17
Black & McGrew Standards Track [Page 2]
^L
RFC 5282 Authenticated Encryption and IKEv2 August 2008
1. Introduction
An authenticated encryption algorithm combines encryption and
integrity into a single operation on plaintext data to produce
ciphertext that includes an integrity check [RFC5116]. The integrity
check may be an Integrity Check Value (ICV) that is logically
distinct from the encrypted data, or the integrity check may be
incorporated into the encrypted data that is produced. Authenticated
encryption algorithms may also be referred to as combined modes of
operation of a block cipher or as combined mode algorithms.
An Authenticated Encryption with Associated Data (AEAD) algorithm
also provides integrity protection for additional data that is
associated with the plaintext, but which is left unencrypted. This
document describes the use of AEAD algorithms with the Encrypted
Payload of the Internet Key Exchange version 2 (IKEv2) protocol. The
use of two specific AEAD algorithms with the IKEv2 Encrypted Payload
is also described; the two algorithms are the Advanced Encryption
Standard (AES) in Galois/Counter Mode (AES GCM) [GCM] and AES in
Counter with CBC-MAC Mode (AES CCM) [CCM].
Version 1 of the Internet Key Exchange protocol (IKEv1) [RFC2409] is
based on the Internet Security Association and Key Management
Protocol (ISAKMP) [RFC2408]. The E (Encryption) bit in the ISAKMP
header specifies that all payloads following the header are
encrypted, but any data integrity verification of those payloads is
handled by a separate Hash Payload or Signature Payload (see Sections
3.1, 3.11, and 3.12 of [RFC2408]). This separation of encryption
from data integrity protection prevents the use of authenticated
encryption with IKEv1, thus limiting initial specifications of AES
combined mode usage for IPsec to the Encapsulating Security Payload
(ESP) [RFC2406]. The current version of ESP is version 3, ESPv3
[RFC4303].
Version 2 of the Internet Key Exchange Protocol (IKEv2) [RFC4306]
employs an Encrypted Payload that is based on the design of ESP. The
IKEv2 Encrypted Payload associates encryption and data integrity
protection in a fashion that makes it possible to use AEAD
algorithms.
1.1. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
The symbols or variables that designate authenticated encryption and
decryption operation inputs and outputs (K, N, P, A, and C) are
Black & McGrew Standards Track [Page 3]
^L
RFC 5282 Authenticated Encryption and IKEv2 August 2008
defined in [RFC5116]. The SK_* symbols or variables that designate
specific IKEv2 keys are defined in [RFC4306].
2. Structure of this Document
This document is based on the RFCs that describe the usage of AES GCM
[RFC4106] and AES CCM [RFC4309] with ESP; hence, the introductory
material and specification of the modes in those documents are not
repeated here. The structure of this document follows the structure
of those documents; many sections of this document indicate which
sections of those two documents correspond, and call out any
significant differences that implementers should be aware of.
Significant portions of the text of this document have been adapted
from those two documents.
This document is based on the authenticated encryption interfaces,
notation, and terminology described in [RFC5116]. An important
departure from [RFC4106] and [RFC4309] is that these two RFCs
describe separate ciphertext and integrity check outputs of the
encryption operation, whereas [RFC5116] specifies a single ciphertext
(C) output that includes an integrity check. The latter more general
approach encompasses authenticated encryption algorithms that produce
a single, expanded ciphertext output into which the integrity check
is incorporated, rather than producing separate ciphertext and
integrity check outputs.
For AES GCM and AES CCM, the [RFC5116] ciphertext (C) output of
authenticated encryption consists of the [RFC4106] or [RFC4309]
ciphertext output concatenated with the [RFC4106] or [RFC4309]
Integrity Check Value (ICV) output. This document does not modify
the AES GCM or AES CCM authenticated encryption algorithms specified
in [RFC4106] and [RFC4309].
3. IKEv2 Encrypted Payload Data
This section is based on [RFC5116] and Section 3.14 of [RFC4306].
For the use of authenticated encryption algorithms with the IKEv2
Encrypted Payload, this section updates Section 3.14 of [RFC4306] by
replacing Figure 21 and the text that follows it (through the end of
that section) with the contents of this section. In addition,
Section 3.14 of [RFC4306] is also updated to allow the use of a
single authenticated encryption algorithm instead of a block cipher
and a separate integrity check algorithm. In contrast, Sections 3.1
and 3.2 of this document are specific to the AES GCM and AES CCM
algorithms and hence do not update [RFC4306]. The updates to
[RFC4306] made by this document have no effect when authenticated
encryption algorithms are neither proposed nor used.
Black & McGrew Standards Track [Page 4]
^L
RFC 5282 Authenticated Encryption and IKEv2 August 2008
The IKEv2 Encrypted Payload Data structure applies to all
authenticated encryption algorithms, and it is the same structure
that is used with ESP. When an authenticated encryption algorithm is
used, the IKEv2 Encrypted Payload is composed of the payload header
fields, followed by an Initialization Vector (IV) field and a
Ciphertext (C) field that includes an integrity check as shown in
Figure 1.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Next Payload !C! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Initialization Vector !
! (length is specified by authenticated encryption algorithm) !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Ciphertext ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1. IKEv2 Encrypted Payload Data for Authenticated Encryption
The Next Payload, C bit, and Payload Length fields are unchanged from
[RFC4306].
The contents of the Initialization Vector (IV) field are specified by
the authenticated encryption algorithm; see Sections 3.1 and 4
(below) for AES GCM and AES CCM.
The Ciphertext field is the output of an authenticated encryption
operation (see Section 2.1 of [RFC5116]) on the following inputs:
o The secret key (K) is the cipher key obtained from the SK_ei or
SK_er key, whichever is appropriate, see [RFC4306]. The
authenticated encryption algorithm describes how to obtain the
cipher key from SK_ei or SK_er; for AES GCM and AES CCM, see
Section 7.1 (below).
o The nonce (N) is specified by the authenticated encryption
algorithm; for AES GCM and AES CCM, see Section 4 (below). When
decrypting an Encrypted Payload, a receiver constructs the nonce
based on the IV in the Encrypted Payload, using rules that are
specific to the authenticated encryption algorithm; see Sections
3.1 and 4 (below) for AES GCM and AES CCM.
o The plaintext (P) consists of the concatenation of the IKE
Payloads to be encrypted with the Padding (if any) and the Pad
Length, as shown in Figure 2 (below). The plaintext structure in
Figure 2 applies to all encryption algorithms used with the IKEv2
Encrypted Payload, and is unchanged from [RFC4306].
Black & McGrew Standards Track [Page 5]
^L
RFC 5282 Authenticated Encryption and IKEv2 August 2008
o The associated data (A) is described in Section 5 (below).
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ IKE Payloads to be Encrypted ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! ! Padding (0-255 octets) !
+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
! ! Pad Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2. IKEv2 Encrypted Payload Plaintext (P)
The IKE Payloads are as specified in [RFC4306].
Padding MAY contain any value chosen by the sender.
Pad Length is the number of octets in the Padding field. There are
no alignment requirements on the length of the Padding field; the
recipient MUST accept any amount of Padding up to 255 octets.
The ciphertext output of authenticated encryption algorithms, as
defined by [RFC5116], incorporates data that allows checks on the
integrity and authenticity of the ciphertext and associated data.
Thus, there is no need for a separate Integrity Check Value (ICV)
field in the IKEv2 Encrypted Payload Data structure.
3.1. AES GCM and AES CCM Initialization Vector (IV)
This section is based on Section 3.1 of [RFC4106] and Section 3.1 of
[RFC4309]. The Initialization Vector requirements are common to AES
GCM and AES CCM, and are the same as the requirements for ESP.
The Initialization Vector (IV) MUST be eight octets. The IV MUST be
chosen by the encryptor in a manner that ensures that the same IV
value is used only once for a given key. The encryptor MAY generate
the IV in any manner that ensures uniqueness. Common approaches to
IV generation include incrementing a counter for each packet and
linear feedback shift registers (LFSRs).
3.2. AES GCM and AES CCM Ciphertext (C) Construction
This section is based on Section 6 of [RFC4106] and Section 3.1 of
[RFC4309] with generalizations to match the interfaces specified in
[RFC5116]. The constructions for AES GCM and AES CCM are different,
but in each case, the construction is the same as for ESP.
Black & McGrew Standards Track [Page 6]
^L
RFC 5282 Authenticated Encryption and IKEv2 August 2008
For AES GCM and AES CCM, the Ciphertext field consists of the output
of the authenticated encryption algorithm. (Note that this field
incorporates integrity check data.)
The AES GCM ICV consists solely of the AES GCM Authentication Tag.
Implementations MUST support a full-length 16 octet ICV, MAY support
8 or 12 octet ICVs, and MUST NOT support other ICV lengths.
AES CCM provides an encrypted ICV. Implementations MUST support ICV
sizes of 8 octets and 16 octets. Implementations MAY also support 12
octet ICVs and MUST NOT support other ICV lengths.
4. AES GCM and AES CCM Nonce (N) Format
Specific authenticated encryption algorithms MAY use different nonce
formats, but they SHOULD use the default nonce format specified in
this section.
The default nonce format uses partially implicit nonces (see Section
3.2.1 of [RFC5116]) as follows:
o The implicit portion of the nonce is the salt that is part of the
IKEv2 Keying Material shared by the encryptor and decryptor (see
Section 7.1); the salt is not included in the IKEv2 Encrypted
Payload.
o The explicit portion of the nonce is the IV that is included in
the IKEv2 Encrypted Payload.
When this default nonce format is used, both the encryptor and
decryptor construct the nonce by concatenating the salt with the IV,
in that order.
For the use of AES GCM with the IKEv2 Encrypted Payload, this default
nonce format MUST be used and a 12 octet nonce MUST be used. Note
that this format matches the one specified in Section 4 of [RFC4106],
providing compatibility between the use of AES GCM in IKEv2 and ESP.
All of the requirements of Section 4 of [RFC4106] apply to the use of
AES GCM with the IKEv2 Encrypted Payload.
For the use of AES CCM with the IKEv2 Encrypted Payload, this default
nonce format MUST be used and an 11 octet nonce MUST be used. Note
that this format matches the one specified in Section 4 of [RFC4309],
providing compatibility between the use of AES CCM in IKEv2 and ESP.
All of the requirements of Section 4 of [RFC4309] apply to the use of
AES CCM with the IKEv2 Encrypted Payload.
Black & McGrew Standards Track [Page 7]
^L
RFC 5282 Authenticated Encryption and IKEv2 August 2008
5. IKEv2 Associated Data (A)
This section is based on Section 5 of [RFC4106] and Section 5 of
[RFC4309], both of which refer to associated data as Additional
Authenticated Data (AAD). The associated data construction described
in this section applies to all authenticated encryption algorithms,
but differs from the construction used with ESP because IKEv2
requires different data integrity coverage.
5.1. Associated Data (A) Construction
The associated data (A) MUST consist of the partial contents of the
IKEv2 message, starting from the first octet of the Fixed IKE Header
through the last octet of the Payload Header of the Encrypted Payload
(i.e., the fourth octet of the Encrypted Payload), as shown in Figure
3. This includes any payloads that are between the Fixed IKE Header
and the Encrypted Payload.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ IKEv2 Header ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Unencrypted IKE Payloads ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Next Payload !C! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3. IKEv2 Encrypted Payload Associated Data (A) for
Authenticated Encryption
The Initialization Vector and Ciphertext fields shown in Figure 1
(above) MUST NOT be included in the associated data.
5.2. Data Integrity Coverage
The data integrity coverage of the IKEv2 Encrypted Payload
encompasses the entire IKEv2 message that contains the Encrypted
Payload. When an authenticated encryption algorithm is used with the
Encrypted Payload, this coverage is realized as follows:
1. The associated data (A) covers the portion of the IKEv2 message
starting from the first octet of the Fixed IKE Header through the
last octet of the Payload Header of the Encrypted Payload (fourth
octet of the Encrypted Payload). This includes any Payloads
between the Fixed IKE Header and the Encrypted Payload. The
Encrypted Payload is always the last payload in an IKEv2 message
[RFC4306].
Black & McGrew Standards Track [Page 8]
^L
RFC 5282 Authenticated Encryption and IKEv2 August 2008
2. The IV is an input to the authenticated encryption algorithm's
integrity check. A successful integrity check at the receiver
verifies that the correct IV was used, providing data integrity
coverage for the IV.
3. The plaintext (IKE Payloads, Padding and Pad Length) is covered by
the authenticated encryption algorithm's integrity check.
6. AES GCM and AES CCM Encrypted Payload Expansion
The expansion described in Section 7 of [RFC4106] and Section 6 of
[RFC4309] applies to the use of the AES GCM and AES CCM combined
modes with the IKEv2 Encrypted Payload. See Section 7 of [RFC4106]
and Section 6 of [RFC4309].
7. IKEv2 Conventions for AES GCM and AES CCM
This section describes the conventions used to generate keying
material and salt values for use with AES GCM and AES CCM using the
IKEv2 [RFC4306] protocol. The identifiers and attributes needed to
use AES GCM and AES CCM with the IKEv2 Encrypted Payload are also
specified.
7.1. Keying Material and Salt Values
This section is based on Section 8.1 of [RFC4106] and Section 7.1 of
[RFC4309]. The Keying Material and Salt Values for AES GCM and AES
CCM are different, but have the same structure as the Keying Material
and Salt Values used with ESP.
IKEv2 makes use of a Pseudo-Random Function (PRF) to derive keying
material. The PRF is used iteratively to derive keying material of
arbitrary size, from which keying material for specific uses is
extracted without regard to PRF output boundaries; see Section 2.14
of [RFC4306].
This subsection describes how the key derivation specified in Section
2.14 of [RFC4306] is used to obtain keying material for AES GCM and
AES CCM. When AES GCM or AES CCM is used with the IKEv2 Encrypted
Payload, the SK_ai and SK_ar integrity protection keys are not used;
each key MUST be treated as having a size of zero (0) octets. The
size of each of the SK_ei and SK_er encryption keys includes
additional salt bytes. The size and format of each of the SK_ei and
SK_er encryption keys MUST be:
o For AES GCM, each encryption key has the size and format of the
"KEYMAT requested" material specified in Section 8.1 of [RFC4106]
for the AES key size being used. For example, if the AES key size
Black & McGrew Standards Track [Page 9]
^L
RFC 5282 Authenticated Encryption and IKEv2 August 2008
is 128 bits, each encryption key is 20 octets, consisting of a
16-octet AES cipher key followed by 4 octets of salt.
o For AES CCM, each key has the size and format of the "KEYMAT
requested" material specified in Section 7.1 of [RFC4309] for the
AES key size being used. For example, if the AES key size is 128
bits, each encryption key is 19 octets, consisting of a 16-octet
AES cipher key followed by 3 octets of salt.
7.2. IKEv2 Identifiers
This section is unique to the IKEv2 Encrypted Payload usage of AES
GCM and AES CCM. It reuses the identifiers used to negotiate ESP
usage of AES GCM and AES CCM.
The following identifiers, previously allocated by IANA, are used to
negotiate the use of AES GCM and AES CCM as the Encryption (ENCR)
Transform for IKEv2 (i.e., for use with the IKEv2 Encrypted Payload):
14 for AES CCM with an 8-octet ICV;
15 for AES CCM with a 12-octet ICV;
16 for AES CCM with a 16-octet ICV;
18 for AES GCM with an 8-octet ICV;
19 for AES GCM with a 12-octet ICV; and
20 for AES GCM with a 16-octet ICV.
A 16-octet ICV size SHOULD be used with IKEv2, as the higher level of
security that it provides by comparison to smaller ICV sizes is
appropriate to IKEv2's key exchange and related functionality.
In general, the use of 12-octet ICVs (values 15 and 19) is NOT
RECOMMENDED in order to reduce the number of options for ICV size.
If an ICV size larger than 8 octets is appropriate, 16-octet ICVs
SHOULD be used.
7.3. Key Length
This section is based on Section 8.4 of [RFC4106] and Section 7.4 of
[RFC4309]. The Key Length requirements are common to AES GCM and AES
CCM and are identical to the key length requirements for ESP.
Because the AES supports three key lengths, the Key Length attribute
MUST be specified when any of the identifiers for AES GCM or AES CCM,
specified in Section 7.2 of this document, is used. The Key Length
attribute MUST have a value of 128, 192, or 256. The use of the
value 192 is NOT RECOMMENDED. If an AES key larger than 128 bits is
Black & McGrew Standards Track [Page 10]
^L
RFC 5282 Authenticated Encryption and IKEv2 August 2008
appropriate, a 256-bit AES key SHOULD be used. This reduces the
number of options for AES key length.
8. IKEv2 Algorithm Selection
This section applies to the use of any authenticated encryption
algorithm with the IKEv2 Encrypted Payload and is unique to that
usage.
IKEv2 (Section 3.3.3 of [RFC4306]) specifies that both an encryption
algorithm and an integrity checking algorithm are required for an IKE
SA (Security Association). This document updates [RFC4306] to
require that when an authenticated encryption algorithm is selected
as the encryption algorithm for any SA (IKE or ESP), an integrity
algorithm MUST NOT be selected for that SA. This document further
updates [RFC4306] to require that if all of the encryption algorithms
in any proposal are authenticated encryption algorithms, then the
proposal MUST NOT propose any integrity transforms.
9. Test Vectors
See Section 9 of [RFC4106] and Section 8 of [RFC4309] for references
that provide AES GCM and AES CCM test vectors.
10. RFC 5116 AEAD_* Algorithms
This section adds new algorithms to the AEAD_* algorithm framework
defined in [RFC5116] to encompass the usage of AES GCM and AES CCM
with IKEv2. An AEAD_* algorithm does not have any attributes or
parameters; each AEAD_* algorithm identifier defined in this document
completely specifies the AES key size and the ICV size to be used
(e.g., AEAD_AES_128_GCM uses a 128-bit AES key and a 16-octet ICV).
AEAD_* algorithm coverage of the AES GCM and AES CCM authenticated
encryption algorithms used with IKEv2 requires specification of eight
additional AEAD_* algorithms beyond the four algorithms specified in
[RFC5116]:
o Four AEAD_* algorithms are specified to allow 8- and 12-octet ICVs
to be used with the AES GCM and AEAD_* algorithms specified in
[RFC5116].
o The version of AES CCM used with IPsec (see [RFC4309]) uses an
11-octet nonce instead of the 12-octet nonce used by the version
of AES CCM specified in [RFC5116]. Six AEAD_* algorithms are
specified for this short nonce version of AES CCM.
Black & McGrew Standards Track [Page 11]
^L
RFC 5282 Authenticated Encryption and IKEv2 August 2008
This document recommends against the use of 192-bit AES keys, and
therefore does not specify AEAD_* algorithms for 192-bit AES keys.
10.1. AES GCM Algorithms with 8- and 12-octet ICVs
The following four AEAD_* algorithms are identical to the AEAD_*
algorithms specified in [RFC5116], except that an 8-octet ICV is used
instead of a 16-octet ICV.
10.1.1. AEAD_AES_128_GCM_8
This algorithm is identical to AEAD_AES_128_GCM (see Section 5.1 of
[RFC5116]), except that the tag length, t, is 8, and an
authentication tag with a length of 8 octets (64 bits) is used.
An AEAD_AES_128_GCM_8 ciphertext is exactly 8 octets longer than its
corresponding plaintext.
10.1.2. AEAD_AES_256_GCM_8
This algorithm is identical to AEAD_AES_256_GCM (see Section 5.2 of
[RFC5116]), except that the tag length, t, is 8, and an
authentication tag with a length of 8 octets (64 bits) is used.
An AEAD_AES_256_GCM_8 ciphertext is exactly 8 octets longer than its
corresponding plaintext.
10.1.3. AEAD_AES_128_GCM_12
This algorithm is identical to AEAD_AES_128_GCM (see Section 5.1 of
[RFC5116]), except that the tag length, t, is 12, and an
authentication tag with a length of 12 octets (64 bits) is used.
An AEAD_AES_128_GCM_12 ciphertext is exactly 12 octets longer than
its corresponding plaintext.
10.1.4. AEAD_AES_256_GCM_12
This algorithm is identical to AEAD_AES_256_GCM (see Section 5.2 of
[RFC5116], except that the tag length, t, is 12 and an authentication
tag with a length of 12 octets (64 bits) is used.
An AEAD_AES_256_GCM_12 ciphertext is exactly 12 octets longer than
its corresponding plaintext.
Black & McGrew Standards Track [Page 12]
^L
RFC 5282 Authenticated Encryption and IKEv2 August 2008
10.2. AES CCM Algorithms with an 11-octet Nonce
The following four AEAD algorithms employ the AES CCM algorithms with
an 11 octet nonce as specified in [RFC4309].
10.2.1. AEAD_AES_128_CCM_SHORT
The AEAD_AES_128_CCM_SHORT authenticated encryption algorithm is
identical to the AEAD_AES_128_CCM algorithm (see Section 5.3 of
[RFC5116]), except that it uses a nonce that is one octet shorter.
AEAD_AES_128_CCM_SHORT works as specified in [CCM]. It uses AES-128
as the block cipher by providing the key, nonce, associated data, and
plaintext to that mode of operation. The formatting and counter
generation function are as specified in Appendix A of [CCM], and the
values of the parameters identified in that appendix are as follows:
the nonce length n is 11,
the tag length t is 16, and
the value of q is 3.
An authentication tag with a length of 16 octets (128 bits) is used.
The AEAD_AES_128_CCM_SHORT ciphertext consists of the ciphertext
output of the CCM encryption operation concatenated with the
authentication tag output of the CCM encryption operation. Test
cases are provided in [CCM]. The input and output lengths are as
follows:
K_LEN is 16 octets,
P_MAX is 2^24 - 1 octets,
A_MAX is 2^64 - 1 octets,
N_MIN and N_MAX are both 11 octets, and
C_MAX is 2^24 + 15 octets.
An AEAD_AES_128_CCM_SHORT ciphertext is exactly 16 octets longer than
its corresponding plaintext.
Black & McGrew Standards Track [Page 13]
^L
RFC 5282 Authenticated Encryption and IKEv2 August 2008
10.2.2. AEAD_AES_256_CCM_SHORT
This algorithm is identical to AEAD_AES_128_CCM_SHORT, but with the
following differences:
K_LEN is 32 octets, instead of 16, and
AES-256 CCM is used instead of AES-128 CCM.
An AEAD_AES_256_CCM_SHORT ciphertext is exactly 16 octets longer than
its corresponding plaintext.
10.2.3. AEAD_AES_128_CCM_SHORT_8
This algorithm is identical to AEAD_AES_128_CCM_SHORT, except that
the tag length, t, is 8, and an authentication tag with a length of 8
octets (64 bits) is used.
An AEAD_AES_128_CCM_SHORT_8 ciphertext is exactly 8 octets longer
than its corresponding plaintext.
10.2.4. AEAD_AES_256_CCM_SHORT_8
This algorithm is identical to AEAD_AES_256_CCM_SHORT, except that
the tag length, t, is 8, and an authentication tag with a length of 8
octets (64 bits) is used.
An AEAD_AES_256_CCM_SHORT_8 ciphertext is exactly 8 octets longer
than its corresponding plaintext.
10.2.5. AEAD_AES_128_CCM_SHORT_12
This algorithm is identical to AEAD_AES_128_CCM_SHORT, except that
the tag length, t, is 12, and an authentication tag with a length of
12 octets (64 bits) is used.
An AEAD_AES_128_CCM_SHORT_12 ciphertext is exactly 12 octets longer
than its corresponding plaintext.
10.2.6. AEAD_AES_256_CCM_SHORT_12
This algorithm is identical to AEAD_AES_256_CCM_SHORT, except that
the tag length, t, is 12, and an authentication tag with a length of
8 octets (64 bits) is used.
An AEAD_AES_256_CCM_SHORT_12 ciphertext is exactly 12 octets longer
than its corresponding plaintext.
Black & McGrew Standards Track [Page 14]
^L
RFC 5282 Authenticated Encryption and IKEv2 August 2008
10.3. AEAD_* Algorithms and IKEv2
The following table lists the AES CCM and AES GCM AEAD_* algorithms
that can be negotiated by IKEv2 and provides the IKEv2 Encryption
(ENCR) Transform Identifier and Key Length Attribute combination that
is used to negotiate each algorithm.
+--------------------------+------------------+-------------+
| AEAD algorithm | ENCR Identifier | Key Length |
+--------------------------+------------------+-------------+
| AEAD_AES_128_GCM | 20 | 128 |
| AEAD_AES_256_GCM | 20 | 256 |
| AEAD_AES_128_GCM_8 | 18 | 128 |
| AEAD_AES_256_GCM_8 | 18 | 256 |
| AEAD_AES_128_GCM_12 | 19 | 128 |
| AEAD_AES_256_GCM_12 | 19 | 256 |
| AEAD_AES_128_CCM_SHORT | 16 | 128 |
| AEAD_AES_256_CCM_SHORT | 16 | 256 |
| AEAD_AES_128_CCM_SHORT_8 | 14 | 128 |
| AEAD_AES_256_CCM_SHORT_8 | 14 | 256 |
| AEAD_AES_128_CCM_SHORT_12| 15 | 128 |
| AEAD_AES_256_CCM_SHORT_12| 15 | 256 |
+--------------------------+------------------+-------------+
Each of the above AEAD_* algorithms is identical to the algorithm
designated by the combination of the IKEv2 ENCR Identifier and Key
Length Attribute shown on the same line of the table.
11. Security Considerations
For authenticated encryption security considerations, see the
entirety of [RFC5116], not just its security considerations section;
there are important security considerations that are discussed
outside the security considerations section of that document.
The security considerations for the use of AES GCM and AES CCM with
ESP apply to the use of these algorithms with the IKEv2 Encrypted
Payload, see Section 10 of [RFC4106] and Section 9 of [RFC4309]. Use
of AES GCM and AES CCM with IKEv2 does not create additional security
considerations beyond those for the use of AES GCM and AES CCM with
ESP.
For IKEv2 security considerations, see Section 5 of [RFC4306].
Black & McGrew Standards Track [Page 15]
^L
RFC 5282 Authenticated Encryption and IKEv2 August 2008
12. IANA Considerations
The Encryption Transform identifiers specified in Section 7.2 have
been previously assigned by IANA for use with ESP. This document
extends their usage to IKEv2 for the Encrypted Payload. No IANA
actions are required for this usage extension.
IANA has added the following entries to the Authenticated Encryption
with Associated Data (AEAD) Parameters Registry:
+--------------------------+----------------+--------------------+
| Name | Reference | Numeric Identifier |
+--------------------------+----------------+--------------------+
| AEAD_AES_128_GCM_8 | Section 10.1.1 | 5 |
| AEAD_AES_256_GCM_8 | Section 10.1.2 | 6 |
| AEAD_AES_128_GCM_12 | Section 10.1.3 | 7 |
| AEAD_AES_256_GCM_12 | Section 10.1.4 | 8 |
| AEAD_AES_128_CCM_SHORT | Section 10.2.1 | 9 |
| AEAD_AES_256_CCM_SHORT | Section 10.2.2 | 10 |
| AEAD_AES_128_CCM_SHORT_8 | Section 10.2.3 | 11 |
| AEAD_AES_256_CCM_SHORT_8 | Section 10.2.4 | 12 |
| AEAD_AES_128_CCM_SHORT_12| Section 10.2.5 | 13 |
| AEAD_AES_256_CCM_SHORT_12| Section 10.2.6 | 14 |
+--------------------------+----------------+--------------------+
An IANA registration of an AEAD algorithm does not constitute an
endorsement of that algorithm or its security.
13. Acknowledgments
See Section 13 of [RFC4106] and Section 12 of [RFC4309] for AES GCM
and AES CCM acknowledgments.
Also, we thank Charlie Kaufman, Pasi Eronen, Tero Kivinen, Steve
Kent, and Alfred Hoenes for their comprehensive reviews of this
document.
This document was originally prepared using 2-Word-v2.0.template.dot,
created by Joe Touch.
Black & McGrew Standards Track [Page 16]
^L
RFC 5282 Authenticated Encryption and IKEv2 August 2008
14. References
14.1. Normative References
[CCM] Dworkin, M., "NIST Special Publication 800-38C: The CCM
Mode for Authentication and Confidentiality", U.S. National
Institute of Standards and Technology,
<http://csrc.nist.gov/publications/nistpubs/800-38C/
SP800-38C.pdf>, updated July 2007.
[GCM] Dworkin, M., "NIST Special Publication 800-38D:
Recommendation for Block Cipher Modes of Operation:
Galois/Counter Mode (GCM) and GMAC.", U.S. National
Institute of Standards and Technology, November 2007,
<http://csrc.nist.gov/publications/nistpubs/800-38D/
SP-800-38D.pdf>, November 2007.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode
(GCM) in IPsec Encapsulating Security Payload (ESP)", RFC
4106, June 2005.
[RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC
4303, December 2005.
[RFC4306] Kaufman, C., Ed., "Internet Key Exchange (IKEv2) Protocol",
RFC 4306, December 2005.
[RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM
Mode with IPsec Encapsulating Security Payload (ESP)", RFC
4309, December 2005.
[RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated
Encryption", RFC 5116, January 2008.
14.2. Informative References
[RFC2406] Kent, S. and R. Atkinson, "IP Encapsulating Security
Payload (ESP)", RFC 2406, November 1998.
[RFC2408] Maughan, D., Schertler, M., Schneider, M., and J. Turner,
"Internet Security Association and Key Management Protocol
(ISAKMP)", RFC 2408, November 1998.
[RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange
(IKE)", RFC 2409, November 1998.
Black & McGrew Standards Track [Page 17]
^L
RFC 5282 Authenticated Encryption and IKEv2 August 2008
Author's Addresses
David L. Black
EMC Corporation
176 South Street
Hopkinton, MA 10748
Phone: +1 (508) 293-7953
EMail: black_david@emc.com
David A. McGrew
Cisco Systems, Inc.
510 McCarthy Blvd.
Milpitas, CA 95035
Phone: +1 (408) 525-8651
EMail: mcgrew@cisco.com
Black & McGrew Standards Track [Page 18]
^L
RFC 5282 Authenticated Encryption and IKEv2 August 2008
Full Copyright Statement
Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Black & McGrew Standards Track [Page 19]
^L
|