1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
|
Network Working Group A. Kato
Request for Comments: 5529 NTT Software Corporation
Category: Standards Track M. Kanda
NTT
S. Kanno
NTT Software Corporation
April 2009
Modes of Operation for Camellia for Use with IPsec
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Abstract
This document describes the use of the Camellia block cipher
algorithm in Cipher Block Chaining (CBC) mode, Counter (CTR) mode,
and Counter with CBC-MAC (CCM) mode as additional, optional-to-
implement Internet Key Exchange Protocol version 2 (IKEv2) and
Encapsulating Security Payload (ESP) mechanisms to provide
confidentiality, data origin authentication, and connectionless
integrity.
Kato, et al. Standards Track [Page 1]
^L
RFC 5529 Modes of Operation for Camellia for IPsec April 2009
Table of Contents
1. Introduction ....................................................2
1.1. Terminology ................................................3
2. The Camellia Cipher Algorithm ...................................3
2.1. Block Size and Padding .....................................3
2.2. Performance ................................................3
3. Modes ...........................................................3
3.1. Cipher Block Chaining ......................................3
3.2. Counter and Counter with CBC-MAC ...........................3
4. IKEv2 Conventions ...............................................4
4.1. Keying Material ............................................4
4.2. Transform Type 1 ...........................................5
4.3. Key Length Attribute .......................................5
5. Security Considerations .........................................5
6. IANA Considerations .............................................5
7. Acknowledgments .................................................5
8. References ......................................................5
8.1. Normative References .......................................5
8.2. Informative References .....................................6
1. Introduction
This document describes the use of the Camellia block cipher
algorithm [1] in Cipher Block Chaining (CBC) mode, Counter (CTR)
mode, and Counter with CBC-MAC (CCM) mode as additional, optional-to-
implement IKEv2 [2] and Encapsulating Security Payload (ESP) [3]
mechanisms to provide confidentiality, data origin authentication,
and connectionless integrity.
Since optimized source code is provided under several open source
licenses [9], Camellia is also adopted by several open source
projects (OpenSSL, FreeBSD, Linux, and Firefox Gran Paradiso).
The algorithm specification and object identifiers are described in
[1].
The Camellia web site [10] contains a wealth of information about
Camellia, including detailed specification, security analysis,
performance figures, reference implementation, optimized
implementation, test vectors, and intellectual property information.
The remainder of this document specifies the use of various modes of
operation for Camellia within the context of IPsec ESP. For further
information on how the various pieces of IPsec in general and ESP in
particular fit together to provide security services, please refer to
[11] and [3].
Kato, et al. Standards Track [Page 2]
^L
RFC 5529 Modes of Operation for Camellia for IPsec April 2009
1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [4].
2. The Camellia Cipher Algorithm
All symmetric block cipher algorithms share common characteristics
and variables, including mode, key size, weak keys, block size, and
rounds. The relevant characteristics of Camellia are described in
[1].
2.1. Block Size and Padding
Camellia uses a block size of 16 octets (128 bits).
Padding requirements are described:
(a) Camellia Padding requirement is specified in [3],
(b) Camellia-CBC Padding requirement is specified in [3],
(c) Camellia-CCM Padding requirement is specified in [5], and
(d) ESP Padding requirement is specified in [3].
2.2. Performance
Performance figures for Camellia are available at [10]. The NESSIE
project has reported on the performance of optimized implementations
independently [12].
3. Modes
This document describes three modes of operation for the use of
Camellia with IPsec: CBC (Cipher Block Chaining), CTR (Counter), and
CCM (Counter with CBC-MAC).
3.1. Cipher Block Chaining
Camellia CBC mode is defined in [6].
3.2. Counter and Counter with CBC-MAC
Camellia in CTR and CCM modes is used in IPsec as AES in [7] and [8].
In this specification, CCM is used with the Camellia [13] block
cipher.
Kato, et al. Standards Track [Page 3]
^L
RFC 5529 Modes of Operation for Camellia for IPsec April 2009
4. IKEv2 Conventions
This section describes the transform ID and conventions used to
generate keying material for use with ENCR_CAMELLIA_CBC,
ENCR_CAMELLIA_CTR, and ENCR_CAMELLIA_CCM using the Internet Key
Exchange (IKEv2) [2].
4.1. Keying Material
The size of KEYMAT MUST be equal or longer than the associated
Camellia key. The keying material is used as follows:
Camellia-CBC with a 128-bit key
The KEYMAT requested for each Camellia-CBC key is 16 octets. All
16 octets are the 128-bit Camellia key.
Camellia-CBC with a 192-bit key
The KEYMAT requested for each Camellia-CBC key is 24 octets. All
24 octets are the 192-bit Camellia key.
Camellia-CBC with a 256-bit key
The KEYMAT requested for each Camellia-CBC key is 32 octets. All
32 octets are the 256-bit Camellia key.
Camellia-CTR with a 128-bit key
The KEYMAT requested for each Camellia-CTR key is 20 octets. The
first 16 octets are the 128-bit Camellia key, and the remaining
four octets are used as the nonce value in the counter block.
Camellia-CTR with a 192-bit key
The KEYMAT requested for each Camellia-CTR key is 28 octets. The
first 24 octets are the 192-bit Camellia key, and the remaining
four octets are used as the nonce value in the counter block.
Camellia-CTR with a 256-bit key
The KEYMAT requested for each Camellia-CTR key is 36 octets. The
first 32 octets are the 256-bit Camellia key, and the remaining
four octets are used as the nonce value in the counter block.
Camellia-CCM with a 128-bit key
The KEYMAT requested for each Camellia-CCM key is 19 octets. The
first 16 octets are the 128-bit Camellia key, and the remaining
three octets are used as the salt value in the counter block.
Camellia-CCM with a 192-bit key
The KEYMAT requested for each Camellia-CCM key is 27 octets. The
first 24 octets are the 192-bit Camellia key, and the remaining
three octets are used as the salt value in the counter block.
Kato, et al. Standards Track [Page 4]
^L
RFC 5529 Modes of Operation for Camellia for IPsec April 2009
Camellia-CCM with a 256-bit key
The KEYMAT requested for each Camellia-CCM key is 35 octets. The
first 32 octets are the 256-bit Camellia key, and the remaining
three octets are used as the salt value in the counter block.
4.2. Transform Type 1
For IKEv2 negotiations, IANA has assigned five ESP Transform
Identifiers for Camellia-CBC, Camellia-CTR, and Camellia-CCM, as
recorded in Section 6.
4.3. Key Length Attribute
Since Camellia supports three key lengths, the Key Length attribute
MUST be specified in the IKE exchange [2]. The Key Length attribute
MUST have a value of 128, 192, or 256 bits.
5. Security Considerations
For security considerations of CTR and CCM mode, this document refers
to Section 9 of [7] and Section 7 of [8].
No security problem has been found for Camellia [14], [12].
6. IANA Considerations
IANA has assigned IKEv2 parameters for use with Camellia-CTR and with
Camellia-CCM for Transform Type 1 (Encryption Algorithm):
23 for ENCR_CAMELLIA_CBC;
24 for ENCR_CAMELLIA_CTR;
25 for ENCR_CAMELLIA_CCM with an 8-octet ICV;
26 for ENCR_CAMELLIA_CCM with a 12-octet ICV; and
27 for ENCR_CAMELLIA_CCM with a 16-octet ICV.
7. Acknowledgments
We thank Tim Polk and Tero Kivinen for their initial review of this
document. Thanks to Derek Atkins and Rui Hodai for their comments
and suggestions. Special thanks to Alfred Hoenes for several very
detailed reviews and suggestions.
8. References
8.1. Normative References
[1] Matsui, M., Nakajima, J., and S. Moriai, "A Description of the
Camellia Encryption Algorithm", RFC 3713, April 2004.
Kato, et al. Standards Track [Page 5]
^L
RFC 5529 Modes of Operation for Camellia for IPsec April 2009
[2] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",
RFC 4306, December 2005.
[3] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303,
December 2005.
[4] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[5] Dworkin, M., "Recommendation for Block Cipher Modes of
Operation: the CCM Mode for Authentication and
Confidentiality", NIST Special Publication 800-38C, July 2007,
<http://csrc.nist.gov/publications/nistpubs/800-38C/
SP800-38C_updated-July20_2007.pdf>.
[6] Kato, A., Moriai, S., and M. Kanda, "The Camellia Cipher
Algorithm and Its Use With IPsec", RFC 4312, December 2005.
[7] Housley, R., "Using Advanced Encryption Standard (AES) CCM Mode
with IPsec Encapsulating Security Payload (ESP)", RFC 4309,
December 2005.
[8] Housley, R., "Using Advanced Encryption Standard (AES) Counter
Mode With IPsec Encapsulating Security Payload (ESP)",
RFC 3686, January 2004.
8.2. Informative References
[9] "Camellia open source software",
<http://info.isl.ntt.co.jp/crypt/eng/camellia/source.html>.
[10] "Camellia web site", <http://info.isl.ntt.co.jp/camellia/>.
[11] Kent, S. and K. Seo, "Security Architecture for the Internet
Protocol", RFC 4301, December 2005.
[12] "The NESSIE project (New European Schemes for Signatures,
Integrity and Encryption)",
<http://www.cosic.esat.kuleuven.be/nessie/>.
[13] Kato, A., Kanda, M., and S. Kanno, "Camellia Counter Mode and
Camellia Counter with CBC-MAC Mode Algorithms", RFC 5528,
April 2009.
[14] Information-technology Promotion Agency (IPA), "Cryptography
Research and Evaluation Committees",
<http://www.ipa.go.jp/security/enc/CRYPTREC/index-e.html>.
Kato, et al. Standards Track [Page 6]
^L
RFC 5529 Modes of Operation for Camellia for IPsec April 2009
Authors' Addresses
Akihiro Kato
NTT Software Corporation
Phone: +81-45-212-7577
Fax: +81-45-212-9800
EMail: akato@po.ntts.co.jp
Masayuki Kanda
NTT
Phone: +81-422-59-3456
Fax: +81-422-59-4015
EMail: kanda.masayuki@lab.ntt.co.jp
Satoru Kanno
NTT Software Corporation
Phone: +81-45-212-7577
Fax: +81-45-212-9800
EMail: kanno-s@po.ntts.co.jp
Kato, et al. Standards Track [Page 7]
^L
|
