[AVTCORE] draft-avtcore-srtp-aes-gcm test vectors

"Igoe, Kevin M." <kmigoe@nsa.gov> Wed, 29 April 2015 19:29 UTC

Return-Path: <kmigoe@nsa.gov>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A31EC1ACE89 for <avt@ietfa.amsl.com>; Wed, 29 Apr 2015 12:29:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.209
X-Spam-Level:
X-Spam-Status: No, score=-4.209 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HYiK32p_nJBb for <avt@ietfa.amsl.com>; Wed, 29 Apr 2015 12:29:20 -0700 (PDT)
Received: from emvm-gh1-uea09.nsa.gov (emvm-gh1-uea09.nsa.gov [63.239.67.10]) by ietfa.amsl.com (Postfix) with ESMTP id E223D1ACE81 for <avt@ietf.org>; Wed, 29 Apr 2015 12:29:18 -0700 (PDT)
X-TM-IMSS-Message-ID: <352e75360000efbe@nsa.gov>
Received: from MSHT-GH1-UEA02.corp.nsa.gov (msht-gh1-uea02.corp.nsa.gov [10.215.227.181]) by nsa.gov ([63.239.67.10]) with ESMTP (TREND IMSS SMTP Service 7.1; TLSv1/SSLv3 AES128-SHA (128/128)) id 352e75360000efbe ; Wed, 29 Apr 2015 15:32:02 -0400
Received: from MSMR-GH1-UEA08.corp.nsa.gov (10.215.225.3) by MSHT-GH1-UEA02.corp.nsa.gov (10.215.227.181) with Microsoft SMTP Server (TLS) id 14.2.347.0; Wed, 29 Apr 2015 15:29:14 -0400
Received: from MSMR-GH1-UEA03.corp.nsa.gov ([10.215.224.3]) by MSMR-GH1-UEA08.corp.nsa.gov ([10.215.225.3]) with mapi id 14.02.0347.000; Wed, 29 Apr 2015 15:29:14 -0400
From: "Igoe, Kevin M." <kmigoe@nsa.gov>
To: "'avt@ietf.org'" <avt@ietf.org>
Thread-Topic: draft-avtcore-srtp-aes-gcm test vectors
Thread-Index: AdCCspalDxgzSwl0Q7ifxVWs/SsOPA==
Date: Wed, 29 Apr 2015 19:29:12 +0000
Message-ID: <3C4AAD4B5304AB44A6BA85173B4675CABC83C333@MSMR-GH1-UEA03.corp.nsa.gov>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.215.225.46]
Content-Type: multipart/alternative; boundary="_000_3C4AAD4B5304AB44A6BA85173B4675CABC83C333MSMRGH1UEA03cor_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/avt/G_rLI4biv_2Bl8AOrXQIkbPq4dI>
Subject: [AVTCORE] draft-avtcore-srtp-aes-gcm test vectors
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt/>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Apr 2015 19:29:35 -0000

There was a request that that draft-avtcore-srtp-aes-gcm include some
test vectors.  Below are test vectors, one set for each of
aes_128_gcm_8, aes_128_gcm, and aes_256_gcm.  Each set has
an example encrypt & tag, verify & decrpt, tag only and verify only.
I may have "overachieved" in the volume of data produced, but my
experience has shown that when trying to track down a bug in your
code, you can never have too many intermediate values to help track
it down.

I have been thinking it would suffice to do 4 examples (encrypt, decrypt,
tag only and verify only) using each of the three algorithms at least once.
It doesn't matter to me, I've got my code up and running and can generate
as much or as little data as possible.

I'm hoping to have a much briefer set for RTCP.  The crypt is much the
same, the principle difference being where the fields you are using are
located within an RTCP packet vice an RTP packet.


============================================
============================================
==========                        ==========
==========  Test vectors galore   ==========
==========                        ==========
============================================
============================================

16. Some RTP Test Vectors

   The examples in this section are all based upon the same RTP packet


            8040f17b 8041f8d3 5501a0b2 47616c6c
            69612065 7374206f 6d6e6973 20646976
            69736120 696e2070 61727465 73207472
            6573

   consisting of a 12 octet header (8040f17b 8041f8d3 5501a0b2) and a 38
   octet payload (47616c6c 69612065 7374206f 6d6e6973 20646976 69736120
   696e2070 61727465 73207472 6573) which is just the ASCII string
   "Gallia est omnis divisa in partes tres".  The salt used (51756964
   2070726f 2071756f) comes from the ASCII string "Quid pro quo".  The
   16 octet (128 bit) key is 00 01 02 ...  0f and the 32 octet (256 bit)
   key is 00 01 02 ...  1f.  The RTP payload type (1000000 binary = 64
   decimal) was at the time this document was written an unassigned
   value.

   As shown in section 8.1, the IV is formed XORing two 12-octet values.
   The first 12-octet value is formed by concatenating two zero octets,
   the 4-octet SSRC (found in the 9th thru 12th octets of the packet)


Igoe and McGrew                Standards Track                 [Page 23]


Internet Draft               AES-GCM for SRTP               Apr 29, 2015


   the 4-octet rollover counter ROC maintained at each end of the link,
   and the 2-octet sequence number SEQ (found in the 3rd and 4th octets
   of the packet).  The second 12-octet value i3 the salt, a value that
   is held constant at least until the key is changed.

             | Pad |   SSRC    |    ROC    | SEQ |
              00 00 55 01 a0 b2 00 00 00 00 f1 7b
       salt   51 75 69 64 20 70 72 6f 20 71 75 6f
              ------------------------------------
         IV   51 75 3c 65 80 c2 72 6f 20 71 84 14

   All of the examples use this IV.


16.1. AEAD_AES_128_GCM_8


16.1.1. AEAD_AES_128_GCM_8 Encryption

     Encrypting the following packet:

          8040f17b 8041f8d3 5501a0b2 47616c6c
          69612065 7374206f 6d6e6973 20646976
          69736120 696e2070 61727465 73207472
          6573

     Form the IV
          00 00 55 01 a0 b2 00 00 00 00 f1 7b
          51 75 69 64 20 70 72 6f 20 71 75 6f
          51 75 3c 65 80 c2 72 6f 20 71 84 14

     Key:  00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
     AAD: 8040f17b 8041f8d3 5501a0b2
      PT: 47616c6c 69612065 7374206f 6d6e6973
          20646976 69736120 696e2070 61727465
          73207472 6573
      IV: 51 75 3c 65 80 c2 72 6f 20 71 84 14
       H: c6a13b37878f5b826f4f8162a1c8d879

     Encrypt plaintext
       block # 0
         IV||blk_cntr: 51753c6580c2726f2071841400000002
            key_block: b5 2c 8f cf 92 55 fe 09 df ce a6 73 f0 10 22 b9
          plain_block: 47 61 6c 6c 69 61 20 65 73 74 20 6f 6d 6e 69 73
         cipher_block: f2 4d e3 a3 fb 34 de 6c ac ba 86 1c 9d 7e 4b ca
       block # 1
         IV||blk_cntr: 51753c6580c2726f2071841400000003
            key_block: 9e 07 52 a3 64 5a 2f 4f 2b cb d4 0a 30 b5 a5 fe
          plain_block: 20 64 69 76 69 73 61 20 69 6e 20 70 61 72 74 65
         cipher_block: be 63 3b d5 0d 29 4e 6f 42 a5 f4 7a 51 c7 d1 9b
       block # 2
         IV||blk_cntr: 51753c6580c2726f2071841400000004


Igoe and McGrew                Standards Track                 [Page 24]


Internet Draft               AES-GCM for SRTP               Apr 29, 2015


            key_block: 45 fe 4e ad ed 40 0a 5d 1a f3 63 f9 0c e1 49 3b
          plain_block: 73 20 74 72 65 73
         cipher_block: 36 de 3a df 88 33

     Cipher before tag appended
          f24de3a3 fb34de6c acba861c 9d7e4bca
          be633bd5 0d294e6f 42a5f47a 51c7d19b
          36de3adf 8833

     Compute GMAC tag

       Process AAD
             AAD word: 8040f17b8041f8d35501a0b200000000
         partial hash: bcfb3d1d0e6e3e78ba45403377dba11b

       Process Cipher
          Cipher word: f24de3a3fb34de6cacba861c9d7e4bca
         partial hash: 0ebc0abe1b15b32fedd2b07888c1ef61
          Cipher word: be633bd50d294e6f42a5f47a51c7d19b
         partial hash: 438e5797011ea860585709a2899f4685
          Cipher word: 36de3adf883300000000000000000000
         partial hash: 336fb643310d7bac2aeaa76247f6036d

       Proceess Length Word
          Length word: 00000000000000600000000000000130
         partial hash: 1b964067078c408c4e442a8f015e5264

     Turn GHASH into GMAC
                GHASH: 1b 96 40 67 07 8c 40 8c 4e 44 2a 8f 01 5e 52 64
                   K0: 92 0b 3f 40 b9 3d 2a 1d 1c 8b 5c d1 e5 67 5e aa
            full GMAC: 89 9d 7f 27 be b1 6a 91 52 cf 76 5e e4 39 0c ce
       truncated GMAC: 89 9d 7f 27 be b1 6a 91

     Cipher with tag
          f24de3a3 fb34de6c acba861c 9d7e4bca
          be633bd5 0d294e6f 42a5f47a 51c7d19b
          36de3adf 8833899d 7f27beb1 6a91

     Encrypted and Tagged packet:
          8040f17b 8041f8d3 5501a0b2 f24de3a3
          fb34de6c acba861c 9d7e4bca be633bd5
          0d294e6f 42a5f47a 51c7d19b 36de3adf
          8833899d 7f27beb1 6a91

16.1.2. AEAD_AES_128_GCM_8 Decryption

     Decrypting the following packet:

          8040f17b 8041f8d3 5501a0b2 f24de3a3
          fb34de6c acba861c 9d7e4bca be633bd5
          0d294e6f 42a5f47a 51c7d19b 36de3adf
          8833899d 7f27beb1 6a91


Igoe and McGrew                Standards Track                 [Page 25]


Internet Draft               AES-GCM for SRTP               Apr 29, 2015



     Form the IV
          00 00 55 01 a0 b2 00 00 00 00 f1 7b
          51 75 69 64 20 70 72 6f 20 71 75 6f
          51 75 3c 65 80 c2 72 6f 20 71 84 14

     Key: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
     AAD: 8040f17b 8041f8d3 5501a0b2
      CT: f24de3a3 fb34de6c acba861c 9d7e4bca
          be633bd5 0d294e6f 42a5f47a 51c7d19b
          36de3adf 8833899d 7f27beb1 6a91
      IV: 51 75 3c 65 80 c2 72 6f 20 71 84 14
       H: c6a13b37878f5b826f4f8162a1c8d879

     Verify received tag  899d7f27 beb16a91

       Process AAD
             AAD word: 8040f17b8041f8d35501a0b200000000
         partial hash: bcfb3d1d0e6e3e78ba45403377dba11b

       Process Cipher
          Cipher word: f24de3a3fb34de6cacba861c9d7e4bca
         partial hash: 0ebc0abe1b15b32fedd2b07888c1ef61
          Cipher word: be633bd50d294e6f42a5f47a51c7d19b
         partial hash: 438e5797011ea860585709a2899f4685
          Cipher word: 36de3adf883300000000000000000000
         partial hash: 336fb643310d7bac2aeaa76247f6036d

       Proceess Length Word
          Length word: 00000000000000600000000000000130
         partial hash: 1b964067078c408c4e442a8f015e5264

     Turn GHASH into GMAC
                GHASH: 1b 96 40 67 07 8c 40 8c 4e 44 2a 8f 01 5e 52 64
                   K0: 92 0b 3f 40 b9 3d 2a 1d 1c 8b 5c d1 e5 67 5e aa
            full GMAC: 89 9d 7f 27 be b1 6a 91 52 cf 76 5e e4 39 0c ce
       truncated GMAC: 89 9d 7f 27 be b1 6a 91

          received tag =  899d7f27 beb16a91
          Computed tag =  899d7f27 beb16a91
       Received tag verified.

     Decrypt cipher
       block # 0
         IV||blk_cntr: 51753c6580c2726f2071841400000002
            key_block: b5 2c 8f cf 92 55 fe 09 df ce a6 73 f0 10 22 b9
         cipher_block: f2 4d e3 a3 fb 34 de 6c ac ba 86 1c 9d 7e 4b ca
          plain_block: 47 61 6c 6c 69 61 20 65 73 74 20 6f 6d 6e 69 73
       block # 1
         IV||blk_cntr: 51753c6580c2726f2071841400000003
            key_block: 9e 07 52 a3 64 5a 2f 4f 2b cb d4 0a 30 b5 a5 fe
         cipher_block: be 63 3b d5 0d 29 4e 6f 42 a5 f4 7a 51 c7 d1 9b


Igoe and McGrew                Standards Track                 [Page 26]


Internet Draft               AES-GCM for SRTP               Apr 29, 2015


          plain_block: 20 64 69 76 69 73 61 20 69 6e 20 70 61 72 74 65
       block # 2
         IV||blk_cntr: 51753c6580c2726f2071841400000004
            key_block: 45 fe 4e ad ed 40 0a 5d 1a f3 63 f9 0c e1 49 3b
         cipher_block: 36 de 3a df 88 33
          plain_block: 73 20 74 72 65 73

     Verified and Taged packet:
          47616c6c 69612065 7374206f 6d6e6973
          20646976 69736120 696e2070 61727465
          73207472 6573

16.1.3. AEAD_AES_128_GCM_8 Authentication Tagging

     Tagging the following packet:

          8040f17b 8041f8d3 5501a0b2 47616c6c
          69612065 7374206f 6d6e6973 20646976
          69736120 696e2070 61727465 73207472
          6573

     Form the IV
          00 00 55 01 a0 b2 00 00 00 00 f1 7b
          51 75 69 64 20 70 72 6f 20 71 75 6f
          51 75 3c 65 80 c2 72 6f 20 71 84 14

     Key:  00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
     AAD: 8040f17b 8041f8d3 5501a0b2 47616c6c
          69612065 7374206f 6d6e6973 20646976
          69736120 696e2070 61727465 73207472
          6573
      IV: 51 75 3c 65 80 c2 72 6f 20 71 84 14
       H: c6a13b37878f5b826f4f8162a1c8d879

     Encrypt plaintext

     Compute GMAC tag

       Process AAD
             AAD word: 8040f17b8041f8d35501a0b247616c6c
         partial hash: 79f41fea34a474a77609d8925e9f2b22
             AAD word: 696120657374206f6d6e697320646976
         partial hash: 84093a2f85abf17ab37d3ce2f706138f
             AAD word: 69736120696e20706172746573207472
         partial hash: ab2760fee24e6dec754739d8059cd144
             AAD word: 65730000000000000000000000000000
         partial hash: e84f3c55d287fc561c41d09a8aada4be

       Proceess Length Word
          Length word: 00000000000001900000000000000000
         partial hash: b04200c26b81c98af55cc2eafccd1cbc



Igoe and McGrew                Standards Track                 [Page 27]


Internet Draft               AES-GCM for SRTP               Apr 29, 2015


     Turn GHASH into GMAC
                GHASH: b0 42 00 c2 6b 81 c9 8a f5 5c c2 ea fc cd 1c bc
                   K0: 92 0b 3f 40 b9 3d 2a 1d 1c 8b 5c d1 e5 67 5e aa
            full GMAC: 22 49 3f 82 d2 bc e3 97 e9 d7 9e 3b 19 aa 42 16
       truncated GMAC: 22 49 3f 82 d2 bc e3 97

     Cipher with tag
          22493f82 d2bce397

     Tagged Packet:
          8040f17b 8041f8d3 5501a0b2 47616c6c
          69612065 7374206f 6d6e6973 20646976
          69736120 696e2070 61727465 73207472
          65732249 3f82d2bc e397

16.1.4. AEAD_AES_128_GCM_8 Tag Verification

     Verifying the following packet:

          8040f17b 8041f8d3 5501a0b2 47616c6c
          69612065 7374206f 6d6e6973 20646976
          69736120 696e2070 61727465 73207472
          65732249 3f82d2bc e397

     Form the IV
          00 00 55 01 a0 b2 00 00 00 00 f1 7b
          51 75 69 64 20 70 72 6f 20 71 75 6f
          51 75 3c 65 80 c2 72 6f 20 71 84 14

     Key: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
     AAD: 8040f17b 8041f8d3 5501a0b2 47616c6c
          69612065 7374206f 6d6e6973 20646976
          69736120 696e2070 61727465 73207472
          6573
      CT: 22493f82 d2bce397
      IV: 51 75 3c 65 80 c2 72 6f 20 71 84 14
       H: c6a13b37878f5b826f4f8162a1c8d879

     Verify received tag  22493f82 d2bce397

       Process AAD
             AAD word: 8040f17b8041f8d35501a0b247616c6c
         partial hash: 79f41fea34a474a77609d8925e9f2b22
             AAD word: 696120657374206f6d6e697320646976
         partial hash: 84093a2f85abf17ab37d3ce2f706138f
             AAD word: 69736120696e20706172746573207472
         partial hash: ab2760fee24e6dec754739d8059cd144
             AAD word: 65730000000000000000000000000000
         partial hash: e84f3c55d287fc561c41d09a8aada4be

       Proceess Length Word
          Length word: 00000000000001900000000000000000


Igoe and McGrew                Standards Track                 [Page 28]


Internet Draft               AES-GCM for SRTP               Apr 29, 2015


         partial hash: b04200c26b81c98af55cc2eafccd1cbc

     Turn GHASH into GMAC
                GHASH: b0 42 00 c2 6b 81 c9 8a f5 5c c2 ea fc cd 1c bc
                   K0: 92 0b 3f 40 b9 3d 2a 1d 1c 8b 5c d1 e5 67 5e aa
            full GMAC: 22 49 3f 82 d2 bc e3 97 e9 d7 9e 3b 19 aa 42 16
       truncated GMAC: 22 49 3f 82 d2 bc e3 97

          received tag =  22493f82 d2bce397
          Computed tag =  22493f82 d2bce397
       Received tag verified.

16.2. AEAD_AES_128_GCM


16.2.1. AEAD_AES_128_GCM Encryption

     Encrypting the following packet:

          8040f17b 8041f8d3 5501a0b2 47616c6c
          69612065 7374206f 6d6e6973 20646976
          69736120 696e2070 61727465 73207472
          6573

     Form the IV
          00 00 55 01 a0 b2 00 00 00 00 f1 7b
          51 75 69 64 20 70 72 6f 20 71 75 6f
          51 75 3c 65 80 c2 72 6f 20 71 84 14

     Key:  00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
     AAD: 8040f17b 8041f8d3 5501a0b2
      PT: 47616c6c 69612065 7374206f 6d6e6973
          20646976 69736120 696e2070 61727465
          73207472 6573
      IV: 51 75 3c 65 80 c2 72 6f 20 71 84 14
       H: c6a13b37878f5b826f4f8162a1c8d879

     Encrypt plaintext
       block # 0
         IV||blk_cntr: 51753c6580c2726f2071841400000002
            key_block: b5 2c 8f cf 92 55 fe 09 df ce a6 73 f0 10 22 b9
          plain_block: 47 61 6c 6c 69 61 20 65 73 74 20 6f 6d 6e 69 73
         cipher_block: f2 4d e3 a3 fb 34 de 6c ac ba 86 1c 9d 7e 4b ca
       block # 1
         IV||blk_cntr: 51753c6580c2726f2071841400000003
            key_block: 9e 07 52 a3 64 5a 2f 4f 2b cb d4 0a 30 b5 a5 fe
          plain_block: 20 64 69 76 69 73 61 20 69 6e 20 70 61 72 74 65
         cipher_block: be 63 3b d5 0d 29 4e 6f 42 a5 f4 7a 51 c7 d1 9b
       block # 2
         IV||blk_cntr: 51753c6580c2726f2071841400000004
            key_block: 45 fe 4e ad ed 40 0a 5d 1a f3 63 f9 0c e1 49 3b
          plain_block: 73 20 74 72 65 73


Igoe and McGrew                Standards Track                 [Page 29]


Internet Draft               AES-GCM for SRTP               Apr 29, 2015


         cipher_block: 36 de 3a df 88 33

     Cipher before tag appended
          f24de3a3 fb34de6c acba861c 9d7e4bca
          be633bd5 0d294e6f 42a5f47a 51c7d19b
          36de3adf 8833

     Compute GMAC tag

       Process AAD
             AAD word: 8040f17b8041f8d35501a0b200000000
         partial hash: bcfb3d1d0e6e3e78ba45403377dba11b

       Process Cipher
          Cipher word: f24de3a3fb34de6cacba861c9d7e4bca
         partial hash: 0ebc0abe1b15b32fedd2b07888c1ef61
          Cipher word: be633bd50d294e6f42a5f47a51c7d19b
         partial hash: 438e5797011ea860585709a2899f4685
          Cipher word: 36de3adf883300000000000000000000
         partial hash: 336fb643310d7bac2aeaa76247f6036d

       Proceess Length Word
          Length word: 00000000000000600000000000000130
         partial hash: 1b964067078c408c4e442a8f015e5264

     Turn GHASH into GMAC
                GHASH: 1b 96 40 67 07 8c 40 8c 4e 44 2a 8f 01 5e 52 64
                   K0: 92 0b 3f 40 b9 3d 2a 1d 1c 8b 5c d1 e5 67 5e aa
            full GMAC: 89 9d 7f 27 be b1 6a 91 52 cf 76 5e e4 39 0c ce

     Cipher with tag
          f24de3a3 fb34de6c acba861c 9d7e4bca
          be633bd5 0d294e6f 42a5f47a 51c7d19b
          36de3adf 8833899d 7f27beb1 6a9152cf
          765ee439 0cce

     Encrypted and Tagged packet:
          8040f17b 8041f8d3 5501a0b2 f24de3a3
          fb34de6c acba861c 9d7e4bca be633bd5
          0d294e6f 42a5f47a 51c7d19b 36de3adf
          8833899d 7f27beb1 6a9152cf 765ee439
          0cce

16.2.2. AEAD_AES_128_GCM Decryption

     Decrypting the following packet:

          8040f17b 8041f8d3 5501a0b2 f24de3a3
          fb34de6c acba861c 9d7e4bca be633bd5
          0d294e6f 42a5f47a 51c7d19b 36de3adf
          8833899d 7f27beb1 6a9152cf 765ee439
          0cce


Igoe and McGrew                Standards Track                 [Page 30]


Internet Draft               AES-GCM for SRTP               Apr 29, 2015



     Form the IV
          00 00 55 01 a0 b2 00 00 00 00 f1 7b
          51 75 69 64 20 70 72 6f 20 71 75 6f
          51 75 3c 65 80 c2 72 6f 20 71 84 14

     Key: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
     AAD: 8040f17b 8041f8d3 5501a0b2
      CT: f24de3a3 fb34de6c acba861c 9d7e4bca
          be633bd5 0d294e6f 42a5f47a 51c7d19b
          36de3adf 8833899d 7f27beb1 6a9152cf
          765ee439 0cce
      IV: 51 75 3c 65 80 c2 72 6f 20 71 84 14
       H: c6a13b37878f5b826f4f8162a1c8d879

     Verify received tag  899d7f27 beb16a91 52cf765e e4390cce

       Process AAD
             AAD word: 8040f17b8041f8d35501a0b200000000
         partial hash: bcfb3d1d0e6e3e78ba45403377dba11b

       Process Cipher
          Cipher word: f24de3a3fb34de6cacba861c9d7e4bca
         partial hash: 0ebc0abe1b15b32fedd2b07888c1ef61
          Cipher word: be633bd50d294e6f42a5f47a51c7d19b
         partial hash: 438e5797011ea860585709a2899f4685
          Cipher word: 36de3adf883300000000000000000000
         partial hash: 336fb643310d7bac2aeaa76247f6036d

       Proceess Length Word
          Length word: 00000000000000600000000000000130
         partial hash: 1b964067078c408c4e442a8f015e5264

     Turn GHASH into GMAC
                GHASH: 1b 96 40 67 07 8c 40 8c 4e 44 2a 8f 01 5e 52 64
                   K0: 92 0b 3f 40 b9 3d 2a 1d 1c 8b 5c d1 e5 67 5e aa
            full GMAC: 89 9d 7f 27 be b1 6a 91 52 cf 76 5e e4 39 0c ce

          received tag =  899d7f27 beb16a91 52cf765e e4390cce
          Computed tag =  899d7f27 beb16a91 52cf765e e4390cce
       Received tag verified.

     Decrypt cipher
       block # 0
         IV||blk_cntr: 51753c6580c2726f2071841400000002
            key_block: b5 2c 8f cf 92 55 fe 09 df ce a6 73 f0 10 22 b9
         cipher_block: f2 4d e3 a3 fb 34 de 6c ac ba 86 1c 9d 7e 4b ca
          plain_block: 47 61 6c 6c 69 61 20 65 73 74 20 6f 6d 6e 69 73
       block # 1
         IV||blk_cntr: 51753c6580c2726f2071841400000003
            key_block: 9e 07 52 a3 64 5a 2f 4f 2b cb d4 0a 30 b5 a5 fe
         cipher_block: be 63 3b d5 0d 29 4e 6f 42 a5 f4 7a 51 c7 d1 9b


Igoe and McGrew                Standards Track                 [Page 31]


Internet Draft               AES-GCM for SRTP               Apr 29, 2015


          plain_block: 20 64 69 76 69 73 61 20 69 6e 20 70 61 72 74 65
       block # 2
         IV||blk_cntr: 51753c6580c2726f2071841400000004
            key_block: 45 fe 4e ad ed 40 0a 5d 1a f3 63 f9 0c e1 49 3b
         cipher_block: 36 de 3a df 88 33
          plain_block: 73 20 74 72 65 73

     Verified and Taged packet:
          47616c6c 69612065 7374206f 6d6e6973
          20646976 69736120 696e2070 61727465
          73207472 6573

16.2.3. AEAD_AES_128_GCM Authentication Tagging

     Tagging the following packet:

          8040f17b 8041f8d3 5501a0b2 47616c6c
          69612065 7374206f 6d6e6973 20646976
          69736120 696e2070 61727465 73207472
          6573

     Form the IV
          00 00 55 01 a0 b2 00 00 00 00 f1 7b
          51 75 69 64 20 70 72 6f 20 71 75 6f
          51 75 3c 65 80 c2 72 6f 20 71 84 14

     Key:  00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
     AAD: 8040f17b 8041f8d3 5501a0b2 47616c6c
          69612065 7374206f 6d6e6973 20646976
          69736120 696e2070 61727465 73207472
          6573
      IV: 51 75 3c 65 80 c2 72 6f 20 71 84 14
       H: c6a13b37878f5b826f4f8162a1c8d879

     Encrypt plaintext

     Compute GMAC tag

       Process AAD
             AAD word: 8040f17b8041f8d35501a0b247616c6c
         partial hash: 79f41fea34a474a77609d8925e9f2b22
             AAD word: 696120657374206f6d6e697320646976
         partial hash: 84093a2f85abf17ab37d3ce2f706138f
             AAD word: 69736120696e20706172746573207472
         partial hash: ab2760fee24e6dec754739d8059cd144
             AAD word: 65730000000000000000000000000000
         partial hash: e84f3c55d287fc561c41d09a8aada4be

       Proceess Length Word
          Length word: 00000000000001900000000000000000
         partial hash: b04200c26b81c98af55cc2eafccd1cbc



Igoe and McGrew                Standards Track                 [Page 32]


Internet Draft               AES-GCM for SRTP               Apr 29, 2015


     Turn GHASH into GMAC
                GHASH: b0 42 00 c2 6b 81 c9 8a f5 5c c2 ea fc cd 1c bc
                   K0: 92 0b 3f 40 b9 3d 2a 1d 1c 8b 5c d1 e5 67 5e aa
            full GMAC: 22 49 3f 82 d2 bc e3 97 e9 d7 9e 3b 19 aa 42 16

     Cipher with tag
          22493f82 d2bce397 e9d79e3b 19aa4216

     Tagged Packet:
          8040f17b 8041f8d3 5501a0b2 47616c6c
          69612065 7374206f 6d6e6973 20646976
          69736120 696e2070 61727465 73207472
          65732249 3f82d2bc e397e9d7 9e3b19aa
          4216

16.2.4. AEAD_AES_128_GCM Tag Verification

     Verifying the following packet:

          8040f17b 8041f8d3 5501a0b2 47616c6c
          69612065 7374206f 6d6e6973 20646976
          69736120 696e2070 61727465 73207472
          65732249 3f82d2bc e397e9d7 9e3b19aa
          4216

     Form the IV
          00 00 55 01 a0 b2 00 00 00 00 f1 7b
          51 75 69 64 20 70 72 6f 20 71 75 6f
          51 75 3c 65 80 c2 72 6f 20 71 84 14

     Key: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
     AAD: 8040f17b 8041f8d3 5501a0b2 47616c6c
          69612065 7374206f 6d6e6973 20646976
          69736120 696e2070 61727465 73207472
          6573
      CT: 22493f82 d2bce397 e9d79e3b 19aa4216
      IV: 51 75 3c 65 80 c2 72 6f 20 71 84 14
       H: c6a13b37878f5b826f4f8162a1c8d879

     Verify received tag  22493f82 d2bce397 e9d79e3b 19aa4216

       Process AAD
             AAD word: 8040f17b8041f8d35501a0b247616c6c
         partial hash: 79f41fea34a474a77609d8925e9f2b22
             AAD word: 696120657374206f6d6e697320646976
         partial hash: 84093a2f85abf17ab37d3ce2f706138f
             AAD word: 69736120696e20706172746573207472
         partial hash: ab2760fee24e6dec754739d8059cd144
             AAD word: 65730000000000000000000000000000
         partial hash: e84f3c55d287fc561c41d09a8aada4be

       Proceess Length Word


Igoe and McGrew                Standards Track                 [Page 33]


Internet Draft               AES-GCM for SRTP               Apr 29, 2015


          Length word: 00000000000001900000000000000000
         partial hash: b04200c26b81c98af55cc2eafccd1cbc

     Turn GHASH into GMAC
                GHASH: b0 42 00 c2 6b 81 c9 8a f5 5c c2 ea fc cd 1c bc
                   K0: 92 0b 3f 40 b9 3d 2a 1d 1c 8b 5c d1 e5 67 5e aa
            full GMAC: 22 49 3f 82 d2 bc e3 97 e9 d7 9e 3b 19 aa 42 16

          received tag =  22493f82 d2bce397 e9d79e3b 19aa4216
          Computed tag =  22493f82 d2bce397 e9d79e3b 19aa4216
       Received tag verified.

16.3. AEAD_AES_256_GCM


16.3.1. AEAD_AES_256_GCM Encryption

     Encrypting the following packet:

          8040f17b 8041f8d3 5501a0b2 47616c6c
          69612065 7374206f 6d6e6973 20646976
          69736120 696e2070 61727465 73207472
          6573

     Form the IV
          00 00 55 01 a0 b2 00 00 00 00 f1 7b
          51 75 69 64 20 70 72 6f 20 71 75 6f
          51 75 3c 65 80 c2 72 6f 20 71 84 14

     Key: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
          10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
     AAD: 8040f17b 8041f8d3 5501a0b2
      PT: 47616c6c 69612065 7374206f 6d6e6973
          20646976 69736120 696e2070 61727465
          73207472 6573
      IV: 51 75 3c 65 80 c2 72 6f 20 71 84 14
       H: f29000b62a499fd0a9f39a6add2e7780

     Encrypt plaintext
       block # 0
         IV||blk_cntr: 51753c6580c2726f2071841400000002
            key_block: 75 d0 b2 14 c1 43 de 77 9c eb 58 95 5e 40 5a d9
          plain_block: 47 61 6c 6c 69 61 20 65 73 74 20 6f 6d 6e 69 73
         cipher_block: 32 b1 de 78 a8 22 fe 12 ef 9f 78 fa 33 2e 33 aa
       block # 1
         IV||blk_cntr: 51753c6580c2726f2071841400000003
            key_block: 91 e4 7b 4e f3 2b 83 d3 dc 65 0a 72 17 8d da 6a
          plain_block: 20 64 69 76 69 73 61 20 69 6e 20 70 61 72 74 65
         cipher_block: b1 80 12 38 9a 58 e2 f3 b5 0b 2a 02 76 ff ae 0f
       block # 2
         IV||blk_cntr: 51753c6580c2726f2071841400000004
            key_block: 68 86 43 eb dd 08 07 98 16 3a 16 d5 e5 04 f6 3a


Igoe and McGrew                Standards Track                 [Page 34]


Internet Draft               AES-GCM for SRTP               Apr 29, 2015


          plain_block: 73 20 74 72 65 73
         cipher_block: 1b a6 37 99 b8 7b

     Cipher before tag appended
          32b1de78 a822fe12 ef9f78fa 332e33aa
          b1801238 9a58e2f3 b50b2a02 76ffae0f
          1ba63799 b87b

     Compute GMAC tag

       Process AAD
             AAD word: 8040f17b8041f8d35501a0b200000000
         partial hash: 0154dcb75485b71880e1957c877351bd

       Process Cipher
          Cipher word: 32b1de78a822fe12ef9f78fa332e33aa
         partial hash: c3f07db9a8b9cb4345eb07f793d322d2
          Cipher word: b18012389a58e2f3b50b2a0276ffae0f
         partial hash: 6d1e66fe32eb32ecd8906ceab09db996
          Cipher word: 1ba63799b87b00000000000000000000
         partial hash: b3d1d2f1fa3b366619bc42cd2eedafee

       Proceess Length Word
          Length word: 00000000000000600000000000000130
         partial hash: 7debf5fa1fac3bd318d5e1a7ee401091

     Turn GHASH into GMAC
                GHASH: 7d eb f5 fa 1f ac 3b d3 18 d5 e1 a7 ee 40 10 91
                   K0: 07 48 2e cc c0 53 ed 63 e1 6e 99 df 39 e7 7c 82
            full GMAC: 7a a3 db 36 df ff d6 b0 f9 bb 78 78 d7 a7 6c 13

     Cipher with tag
          32b1de78 a822fe12 ef9f78fa 332e33aa
          b1801238 9a58e2f3 b50b2a02 76ffae0f
          1ba63799 b87b7aa3 db36dfff d6b0f9bb
          7878d7a7 6c13

     Encrypted and Tagged packet:
          8040f17b 8041f8d3 5501a0b2 32b1de78
          a822fe12 ef9f78fa 332e33aa b1801238
          9a58e2f3 b50b2a02 76ffae0f 1ba63799
          b87b7aa3 db36dfff d6b0f9bb 7878d7a7
          6c13

16.3.2. AEAD_AES_256_GCM Decryption

     Decrypting the following packet:

          8040f17b 8041f8d3 5501a0b2 32b1de78
          a822fe12 ef9f78fa 332e33aa b1801238
          9a58e2f3 b50b2a02 76ffae0f 1ba63799
          b87b7aa3 db36dfff d6b0f9bb 7878d7a7


Igoe and McGrew                Standards Track                 [Page 35]


Internet Draft               AES-GCM for SRTP               Apr 29, 2015


          6c13

     Form the IV
          00 00 55 01 a0 b2 00 00 00 00 f1 7b
          51 75 69 64 20 70 72 6f 20 71 75 6f
          51 75 3c 65 80 c2 72 6f 20 71 84 14

     Key: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
          10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
     AAD: 8040f17b 8041f8d3 5501a0b2
      CT: 32b1de78 a822fe12 ef9f78fa 332e33aa
          b1801238 9a58e2f3 b50b2a02 76ffae0f
          1ba63799 b87b7aa3 db36dfff d6b0f9bb
          7878d7a7 6c13
      IV: 51 75 3c 65 80 c2 72 6f 20 71 84 14
       H: f29000b62a499fd0a9f39a6add2e7780

     Verify received tag  7aa3db36 dfffd6b0 f9bb7878 d7a76c13

       Process AAD
             AAD word: 8040f17b8041f8d35501a0b200000000
         partial hash: 0154dcb75485b71880e1957c877351bd

       Process Cipher
          Cipher word: 32b1de78a822fe12ef9f78fa332e33aa
         partial hash: c3f07db9a8b9cb4345eb07f793d322d2
          Cipher word: b18012389a58e2f3b50b2a0276ffae0f
         partial hash: 6d1e66fe32eb32ecd8906ceab09db996
          Cipher word: 1ba63799b87b00000000000000000000
         partial hash: b3d1d2f1fa3b366619bc42cd2eedafee

       Proceess Length Word
          Length word: 00000000000000600000000000000130
         partial hash: 7debf5fa1fac3bd318d5e1a7ee401091

     Turn GHASH into GMAC
                GHASH: 7d eb f5 fa 1f ac 3b d3 18 d5 e1 a7 ee 40 10 91
                   K0: 07 48 2e cc c0 53 ed 63 e1 6e 99 df 39 e7 7c 82
            full GMAC: 7a a3 db 36 df ff d6 b0 f9 bb 78 78 d7 a7 6c 13

          received tag =  7aa3db36 dfffd6b0 f9bb7878 d7a76c13
          Computed tag =  7aa3db36 dfffd6b0 f9bb7878 d7a76c13
       Received tag verified.

     Decrypt cipher
       block # 0
         IV||blk_cntr: 51753c6580c2726f2071841400000002
            key_block: 75 d0 b2 14 c1 43 de 77 9c eb 58 95 5e 40 5a d9
         cipher_block: 32 b1 de 78 a8 22 fe 12 ef 9f 78 fa 33 2e 33 aa
          plain_block: 47 61 6c 6c 69 61 20 65 73 74 20 6f 6d 6e 69 73
       block # 1
         IV||blk_cntr: 51753c6580c2726f2071841400000003


Igoe and McGrew                Standards Track                 [Page 36]


Internet Draft               AES-GCM for SRTP               Apr 29, 2015


            key_block: 91 e4 7b 4e f3 2b 83 d3 dc 65 0a 72 17 8d da 6a
         cipher_block: b1 80 12 38 9a 58 e2 f3 b5 0b 2a 02 76 ff ae 0f
          plain_block: 20 64 69 76 69 73 61 20 69 6e 20 70 61 72 74 65
       block # 2
         IV||blk_cntr: 51753c6580c2726f2071841400000004
            key_block: 68 86 43 eb dd 08 07 98 16 3a 16 d5 e5 04 f6 3a
         cipher_block: 1b a6 37 99 b8 7b
          plain_block: 73 20 74 72 65 73

     Verified and Taged packet:
          47616c6c 69612065 7374206f 6d6e6973
          20646976 69736120 696e2070 61727465
          73207472 6573

16.3.3. AEAD_AES_256_GCM Authentication Tagging

     Tagging the following packet:

          8040f17b 8041f8d3 5501a0b2 47616c6c
          69612065 7374206f 6d6e6973 20646976
          69736120 696e2070 61727465 73207472
          6573

     Form the IV
          00 00 55 01 a0 b2 00 00 00 00 f1 7b
          51 75 69 64 20 70 72 6f 20 71 75 6f
          51 75 3c 65 80 c2 72 6f 20 71 84 14

     Key: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
          10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
     AAD: 8040f17b 8041f8d3 5501a0b2 47616c6c
          69612065 7374206f 6d6e6973 20646976
          69736120 696e2070 61727465 73207472
          6573
      IV: 51 75 3c 65 80 c2 72 6f 20 71 84 14
       H: f29000b62a499fd0a9f39a6add2e7780

     Encrypt plaintext

     Compute GMAC tag

       Process AAD
             AAD word: 8040f17b8041f8d35501a0b247616c6c
         partial hash: c059753e6763791762ca630d8ef97714
             AAD word: 696120657374206f6d6e697320646976
         partial hash: a4e3401e712900dc4f1d2303bc4b2675
             AAD word: 69736120696e20706172746573207472
         partial hash: 1c8c1af883de0d67878f379a19c65987
             AAD word: 65730000000000000000000000000000
         partial hash: 958462781aa8e8feacce6d93b54472ac

       Proceess Length Word


Igoe and McGrew                Standards Track                 [Page 37]


Internet Draft               AES-GCM for SRTP               Apr 29, 2015


          Length word: 00000000000001900000000000000000
         partial hash: af2efb5dcfdb9900e7127721fdb56956

     Turn GHASH into GMAC
                GHASH: af 2e fb 5d cf db 99 00 e7 12 77 21 fd b5 69 56
                   K0: 07 48 2e cc c0 53 ed 63 e1 6e 99 df 39 e7 7c 82
            full GMAC: a8 66 d5 91 0f 88 74 63 06 7c ee fe c4 52 15 d4

     Cipher with tag
          a866d591 0f887463 067ceefe c45215d4

     Tagged Packet:
          8040f17b 8041f8d3 5501a0b2 47616c6c
          69612065 7374206f 6d6e6973 20646976
          69736120 696e2070 61727465 73207472
          6573a866 d5910f88 7463067c eefec452
          15d4

16.3.4. AEAD_AES_256_GCM Tag Verification

     Verifying the following packet:

          8040f17b 8041f8d3 5501a0b2 47616c6c
          69612065 7374206f 6d6e6973 20646976
          69736120 696e2070 61727465 73207472
          6573a866 d5910f88 7463067c eefec452
          15d4

     Form the IV
          00 00 55 01 a0 b2 00 00 00 00 f1 7b
          51 75 69 64 20 70 72 6f 20 71 75 6f
          51 75 3c 65 80 c2 72 6f 20 71 84 14

     Key: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
          10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
     AAD: 8040f17b 8041f8d3 5501a0b2 47616c6c
          69612065 7374206f 6d6e6973 20646976
          69736120 696e2070 61727465 73207472
          6573
      CT: a866d591 0f887463 067ceefe c45215d4
      IV: 51 75 3c 65 80 c2 72 6f 20 71 84 14
       H: f29000b62a499fd0a9f39a6add2e7780

     Verify received tag  a866d591 0f887463 067ceefe c45215d4

       Process AAD
             AAD word: 8040f17b8041f8d35501a0b247616c6c
         partial hash: c059753e6763791762ca630d8ef97714
             AAD word: 696120657374206f6d6e697320646976
         partial hash: a4e3401e712900dc4f1d2303bc4b2675
             AAD word: 69736120696e20706172746573207472
         partial hash: 1c8c1af883de0d67878f379a19c65987


Igoe and McGrew                Standards Track                 [Page 38]


Internet Draft               AES-GCM for SRTP               Apr 29, 2015


             AAD word: 65730000000000000000000000000000
         partial hash: 958462781aa8e8feacce6d93b54472ac

       Proceess Length Word
          Length word: 00000000000001900000000000000000
         partial hash: af2efb5dcfdb9900e7127721fdb56956

     Turn GHASH into GMAC
                GHASH: af 2e fb 5d cf db 99 00 e7 12 77 21 fd b5 69 56
                   K0: 07 48 2e cc c0 53 ed 63 e1 6e 99 df 39 e7 7c 82
            full GMAC: a8 66 d5 91 0f 88 74 63 06 7c ee fe c4 52 15 d4

          received tag =  a866d591 0f887463 067ceefe c45215d4
          Computed tag =  a866d591 0f887463 067ceefe c45215d4
       Received tag verified.