Re: [Ipsec] CCM: AAD construction
Russ Housley <housley@vigilsec.com> Thu, 07 April 2005 18:42 UTC
Received: from megatron.ietf.org (megatron.ietf.org [132.151.6.71]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA25272 for <ipsec-archive@lists.ietf.org>; Thu, 7 Apr 2005 14:42:19 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DJbwA-0005p0-I7; Thu, 07 Apr 2005 14:41:06 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DJbw8-0005ov-LX for ipsec@megatron.ietf.org; Thu, 07 Apr 2005 14:41:04 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA25192 for <ipsec@ietf.org>; Thu, 7 Apr 2005 14:41:02 -0400 (EDT)
Received: from woodstock.binhost.com ([144.202.243.4]) by ietf-mx.ietf.org with smtp (Exim 4.33) id 1DJc4k-0006A7-AU for ipsec@ietf.org; Thu, 07 Apr 2005 14:49:58 -0400
Received: (qmail 12700 invoked by uid 0); 7 Apr 2005 18:40:11 -0000
Received: from unknown (HELO Russ-Laptop.vigilsec.com) (138.88.14.68) by woodstock.binhost.com with SMTP; 7 Apr 2005 18:40:11 -0000
Message-Id: <6.2.0.14.2.20050407140202.05092490@mail.binhost.com>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.0.14
Date: Thu, 07 Apr 2005 14:39:59 -0400
To: "Bansal, Yogesh" <yogesh.bansal@intel.com>
From: Russ Housley <housley@vigilsec.com>
Subject: Re: [Ipsec] CCM: AAD construction
In-Reply-To: <E4FF889B88DF4A4EBBDDDEF6D5BF7CE40515F615@fmsmsx407.amr.cor p.intel.com>
References: <E4FF889B88DF4A4EBBDDDEF6D5BF7CE40515F615@fmsmsx407.amr.corp.intel.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Spam-Score: 0.2 (/)
X-Scan-Signature: 0fa76816851382eb71b0a882ccdc29ac
Cc: ipsec@ietf.org, makaram.raghunandan@intel.com
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IP Security <ipsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org
Yogesh: >I have few questions on CCM & it's use in IPSec ESP mode. The questions >are related to construction of AAD blocks required for authentication >purposes. > >1) Construction of AAD blocks in CCM in general > >RFC 3610 specifies construction of B_0, B_1 blocks >The construction of B_0 has been clearly defined. This block is followed >by length encoding of "a" followed by "a" itself, as per the following >paragraph in the spec: > >Blocks encoding a are formed by concatenating this string that encodes >l(a) with a itself, and splitting the result into 16-octet blocks, and >then padding the last block with zeros if necessary. These blocks are >appended to the first block B_0. > >Does this mean the following: > >B_1 = encoding(l(a)) || a || pad (to the next 16 octet block ) > >Hence, the AAD block stream then consists of >B_0 || B_1 || m_0 || m_1 ... || m_n (padding, if required) > > >[Q] Please confirm whether the interpretation of B_1 construction is >correct. Sometimes. When 0 < l(a) < (2^16 - 2^8), then B0 includes l(a). In this case, B1 begins with a. >2) Construction of AAD blocks in IPSec ESP mode > >Does B_1 definition mean the following in IPSec ESP mode >AAD_IPSec = SPI || SEQ_Num > >B_1 = encoding (l (AAD_IPSec)) || AAD_IPsec || pad (to the next 16 >octet block) > >[Q] Please confirm construction of B_1 block in IPSec mode is correct. The answer to this is found in draft-ietf-ipsec-ciph-aes-ccm-05.txt, which is in the RFC Editor queue. Section 5 shows the two cases for AAD construction. In both cases, l(a) is less than (2^16 - 2^8), so l(a) is encoded as part of B0. Thus, B1 contains only the SPI and the sequence number. The two cases are the traditional sequence number, which is 32 bits, and the extended sequence number, which is 64 bits. In either case, the total length of the AAD is less than one block, and padding is needed. >3) Computing CBC-MAC in CCM Mode With IPsec ESP >CCM spec (RFC 3610) implies that authentication is done on the plain >text (and not the cipher text). > >However, IPSec ESP mode states that encryption is done prior to >authentication. Does this order change in the >draft-ietf-ipsec-ciph-aes-ccm-05.txt, meaning that authentication is >done after CTR-encryption? If so, is the CBC-MAC encrypted again. > >My interpretation is that the order still remains the same as specified >in RFC 3610, i.e. authentication is on plain text and not cipher text. > >[Q] Please indicate what is the correct order of processing on the >outbound side. Authentication is done first. Please make sure that you are following draft-ietf-ipsec-esp-v3-10.txt, which is also in the RFC Editor queue. This document includes support for authenticated encryption modes like CCM. This support is not available in ESP v2 (RFC 2406). Russ _______________________________________________ Ipsec mailing list Ipsec@ietf.org https://www1.ietf.org/mailman/listinfo/ipsec
- [Ipsec] CCM: AAD construction Bansal, Yogesh
- Re: [Ipsec] CCM: AAD construction Stephen Kent
- Re: [Ipsec] CCM: AAD construction Russ Housley