draft-ietf-kitten-aes-cts-hmac-sha2-06.txt | draft-ietf-kitten-aes-cts-hmac-sha2-07.txt | |||
---|---|---|---|---|

Network Working Group M. Jenkins | Network Working Group M. Jenkins | |||

Internet Draft National Security Agency | Internet Draft National Security Agency | |||

Intended Status: Informational M. Peck | Intended Status: Informational M. Peck | |||

Expires: August 13, 2015 The MITRE Corporation | Expires: June 5, 2016 The MITRE Corporation | |||

K. Burgin | K. Burgin | |||

February 9, 2015 | December 3, 2015 | |||

AES Encryption with HMAC-SHA2 for Kerberos 5 | AES Encryption with HMAC-SHA2 for Kerberos 5 | |||

draft-ietf-kitten-aes-cts-hmac-sha2-06 | draft-ietf-kitten-aes-cts-hmac-sha2-07 | |||

Abstract | Abstract | |||

This document specifies two encryption types and two corresponding | This document specifies two encryption types and two corresponding | |||

checksum types for Kerberos 5. The new types use AES in CTS mode | checksum types for Kerberos 5. The new types use AES in CTS mode | |||

(CBC mode with ciphertext stealing) for confidentiality and HMAC with | (CBC mode with ciphertext stealing) for confidentiality and HMAC with | |||

a SHA-2 hash for integrity. | a SHA-2 hash for integrity. | |||

Status of this Memo | Status of this Memo | |||

skipping to change at page 1, line 35 | skipping to change at page 1, line 35 | |||

Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||

Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||

working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||

Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||

Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||

and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||

time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||

material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||

This Internet-Draft will expire on August 13, 2015. | This Internet-Draft will expire on June 5, 2016. | |||

Copyright and License Notice | Copyright and License Notice | |||

Copyright (c) 2015 IETF Trust and the persons identified as the | Copyright (c) 2015 IETF Trust and the persons identified as the | |||

document authors. All rights reserved. | document authors. All rights reserved. | |||

This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||

Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||

(http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||

publication of this document. Please review these documents | publication of this document. Please review these documents | |||

skipping to change at page 2, line 14 | skipping to change at page 2, line 14 | |||

Table of Contents | Table of Contents | |||

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||

2. Protocol Key Representation . . . . . . . . . . . . . . . . . 3 | 2. Protocol Key Representation . . . . . . . . . . . . . . . . . 3 | |||

3. Key Derivation Function . . . . . . . . . . . . . . . . . . . 3 | 3. Key Derivation Function . . . . . . . . . . . . . . . . . . . 3 | |||

4. Key Generation from Pass Phrases . . . . . . . . . . . . . . . 4 | 4. Key Generation from Pass Phrases . . . . . . . . . . . . . . . 4 | |||

5. Kerberos Algorithm Protocol Parameters . . . . . . . . . . . . 5 | 5. Kerberos Algorithm Protocol Parameters . . . . . . . . . . . . 5 | |||

6. Checksum Parameters . . . . . . . . . . . . . . . . . . . . . 7 | 6. Checksum Parameters . . . . . . . . . . . . . . . . . . . . . 7 | |||

7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | |||

8. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | |||

8.1. Random Values in Salt Strings . . . . . . . . . . . . . . 8 | 8.1. Random Values in Salt Strings . . . . . . . . . . . . . . 8 | |||

8.2. Algorithm Rationale . . . . . . . . . . . . . . . . . . . 9 | 8.2. Algorithm Rationale . . . . . . . . . . . . . . . . . . . 8 | |||

9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9 | 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9 | |||

10. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||

10.1. Normative References . . . . . . . . . . . . . . . . . . 9 | 10.1. Normative References . . . . . . . . . . . . . . . . . . 9 | |||

10.2. Informative References . . . . . . . . . . . . . . . . . 9 | 10.2. Informative References . . . . . . . . . . . . . . . . . 9 | |||

Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 10 | Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 10 | |||

Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16 | |||

1. Introduction | 1. Introduction | |||

This document defines two encryption types and two corresponding | This document defines two encryption types and two corresponding | |||

skipping to change at page 3, line 46 | skipping to change at page 3, line 46 | |||

2. Protocol Key Representation | 2. Protocol Key Representation | |||

The AES key space is dense, so we can use random or pseudorandom | The AES key space is dense, so we can use random or pseudorandom | |||

octet strings directly as keys. The byte representation for the key | octet strings directly as keys. The byte representation for the key | |||

is described in [FIPS197], where the first bit of the bit string is | is described in [FIPS197], where the first bit of the bit string is | |||

the high bit of the first byte of the byte string (octet string). | the high bit of the first byte of the byte string (octet string). | |||

3. Key Derivation Function | 3. Key Derivation Function | |||

We use a key derivation function from Section 5.1 of [SP800-108] | We use a key derivation function from Section 5.1 of [SP800-108] | |||

which uses the HMAC algorithm as the PRF. All octets are expressed | which uses the HMAC algorithm as the PRF. | |||

in big-endian order. The counter i is expressed as four octets and | ||||

in this document is always 0x00000001 since there is only a single | ||||

iteration of the PRF. The "Label" input to the NIST KDF is the | ||||

constant supplied to this key derivation function. When deriving Kc, | ||||

Ki, or Ke, the constant is the four octet key usage concatenated with | ||||

0x99, 0x55, or 0xAA respectively. When deriving the base-key, the | ||||

constant is the ASCII string "kerberos", also known as the byte | ||||

string 0x6B65726265726F73. When deriving Kp, the constant is the | ||||

ASCII string "prf", also known as the byte string 0x707266. The | ||||

"Context" input is omitted. The length of the output key in bits | ||||

(denoted as k) is also represented as four octets in big-endian | ||||

order. Each application of the KDF only requires a single iteration | ||||

of the PRF, so n = 1 in the notation of [SP800-108]. The purposes of | ||||

the Kc, Ki, Ke, base-key, and Kp keys are described in Section 5. | ||||

In the following summary, | indicates concatenation. The random-to- | KDF-HMAC-SHA2(key, label, k) = k-truncate(K1) | |||

key function is the identity function. The k-truncate function is | ||||

defined in [RFC3961], Section 5.1. | ||||

When the encryption type is aes128-cts-hmac-sha256-128, the output | key: The source of entropy from which subsequent keys are derived | |||

key length k is 128 bits for all applications of KDF-HMAC-SHA2(key, | (this is known as Ki in [SP800-108]). | |||

constant) which is computed as follows: | ||||

K1 = HMAC-SHA-256(key, 00 00 00 01 | constant | 00 | 00 00 00 80) | label: An octet string describing the intended usage of the derived | |||

KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1)) | key. | |||

When the encryption type is aes256-cts-hmac-sha384-192, the output | k: Length in bits of the key to be outputted, expressed in big-endian | |||

key length k is 256 bits when deriving the base-key (from a | binary representation in 4 bytes (this is known as L in [SP800-108]). | |||

passphrase as described in Section 4), Ke, and Kp. The output key | (e.g. k = 128 is represented as 0x00000080, | |||

length k is 192 bits when deriving Kc and Ki. KDF-HMAC-SHA2(key, | k = 192 as 0x000000C0, k = 256 as 0x00000100, | |||

constant) is computed as follows: | k = 384 as 0x00000180) | |||

If deriving Kc or Ki (the constant ends with 0x99 or 0x55): | When the encryption type is aes128-cts-hmac-sha256-128, k must be no | |||

k = 192 | greater than 256. When the encryption type is aes256-cts-hmac-sha384- | |||

K1 = HMAC-SHA-384(key, 00 00 00 01 | constant | 00 | 00 00 00 C0) | 192, k must be no greater than 384. | |||

KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1)) | ||||

If deriving the base-key (the constant is "kerberos", the byte | The k-truncate function is defined in [RFC3961], Section 5.1. | |||

string 0x6B65726265726F73), Ke (the constant ends with 0xAA), | ||||

or Kp (the constant is "prf", the byte string 0x707266): | In all computations in this document, | indicates concatenation. | |||

k = 256 | ||||

K1 = HMAC-SHA-384(key, 00 00 00 01 | constant | 00 | 00 00 01 00) | When the encryption type is aes128-cts-hmac-sha256-128, then K1 is | |||

KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1)) | computed as follows: | |||

K1 = HMAC-SHA-256(key, 0x00000001 | label | 0x00 | k) | ||||

When the encryption type is aes256-cts-hmac-sha384-192, then K1 is | ||||

computed as follows: | ||||

K1 = HMAC-SHA-384(key, 0x00000001 | label | 0x00 | k) | ||||

4. Key Generation from Pass Phrases | 4. Key Generation from Pass Phrases | |||

PBKDF2 [RFC2898] is used to derive the base-key from a passphrase | PBKDF2 [RFC2898] is used to derive the base-key from a passphrase and | |||

and salt. | salt. | |||

If no string-to-key parameters are specified, the default number of | To ensure that different long-term base-keys are used with different | |||

iterations is 32,768. | enctypes, we prepend the enctype name to the salt, separated by a | |||

null byte. The enctype-name is "aes128-cts-hmac-sha256-128" or | ||||

"aes256-cts-hmac-sha384-192" (without the quotes). | ||||

To ensure that different long-term base-keys are used with | The user's long-term base-key is derived as follows: | |||

different enctypes, we prepend the enctype name to the salt, | ||||

separated by a null byte. The enctype-name is "aes128-cts-hmac- | ||||

sha256-128" or "aes256-cts-hmac-sha384-192" (without the quotes). | ||||

The user's long-term base-key is derived as follows | ||||

iter_count = string-to-key parameter (default is | ||||

decimal 32768 if not specified) | ||||

saltp = enctype-name | 0x00 | salt | saltp = enctype-name | 0x00 | salt | |||

tkey = random-to-key(PBKDF2(passphrase, saltp, | tkey = PBKDF2(passphrase, saltp, iter_count, keylength) | |||

iter_count, keylength)) | base-key = KDF-HMAC-SHA2(tkey, "kerberos", keylength) | |||

base-key = KDF-HMAC-SHA2(tkey, "kerberos") where "kerberos" is the | where "kerberos" is the octet-string | |||

byte string {0x6B65726265726F73}. | 0x6B65726265726F73 | |||

where the pseudorandom function used by PBKDF2 is HMAC-SHA-256 when | where the pseudorandom function used by PBKDF2 is HMAC-SHA-256 when | |||

the enctype is "aes128-cts-hmac-sha256-128" and HMAC-SHA-384 when the | the enctype is "aes128-cts-hmac-sha256-128" and HMAC-SHA-384 when the | |||

enctype is "aes256-cts-hmac-sha384-192", the value for keylength is | enctype is "aes256-cts-hmac-sha384-192", the value for keylength is | |||

the AES key length (128 or 256 bits), and the algorithm KDF-HMAC-SHA2 | the AES key length (128 or 256 bits), and the algorithm KDF-HMAC-SHA2 | |||

is defined in Section 3. | is defined in Section 3. | |||

5. Kerberos Algorithm Protocol Parameters | 5. Kerberos Algorithm Protocol Parameters | |||

The cipherstate is used as the formal initialization vector (IV) | The cipherstate is used as the formal initialization vector (IV) | |||

skipping to change at page 6, line 15 | skipping to change at page 6, line 5 | |||

Ki: the integrity key, inputted into HMAC to provide authenticated | Ki: the integrity key, inputted into HMAC to provide authenticated | |||

encryption as defined in "encryption function" and "decryption | encryption as defined in "encryption function" and "decryption | |||

function" below. | function" below. | |||

required checksum mechanism: as defined in Section 6. | required checksum mechanism: as defined in Section 6. | |||

key-generation seed length: key size (128 or 256 bits). | key-generation seed length: key size (128 or 256 bits). | |||

string-to-key function: as defined in Section 4. | string-to-key function: as defined in Section 4. | |||

default string-to-key parameters: 00 00 80 00. | default string-to-key parameters: decimal 32768. | |||

random-to-key function: identity function. | ||||

key-derivation function: KDF-HMAC-SHA2 as defined in Section 3. The | key-derivation function: KDF-HMAC-SHA2 as defined in Section 3. The | |||

key usage number is expressed as four octets in big-endian order. | key usage number is expressed as four octets in big-endian order. | |||

Kc = KDF-HMAC-SHA2(base-key, usage | 0x99) | If the enctype is aes128-cts-hmac-sha256-128: | |||

Ke = KDF-HMAC-SHA2(base-key, usage | 0xAA) | Kc = KDF-HMAC-SHA2(base-key, usage | 0x99, 128) | |||

Ki = KDF-HMAC-SHA2(base-key, usage | 0x55) | Ke = KDF-HMAC-SHA2(base-key, usage | 0xAA, 128) | |||

Ki = KDF-HMAC-SHA2(base-key, usage | 0x55, 128) | ||||

If the enctype is aes256-cts-hmac-sha384-192: | ||||

Kc = KDF-HMAC-SHA2(base-key, usage | 0x99, 192) | ||||

Ke = KDF-HMAC-SHA2(base-key, usage | 0xAA, 256) | ||||

Ki = KDF-HMAC-SHA2(base-key, usage | 0x55, 192) | ||||

cipherstate: a 128-bit CBC initialization vector derived from | cipherstate: a 128-bit CBC initialization vector derived from | |||

the ciphertext. | the ciphertext. | |||

initial cipherstate: all bits zero. | initial cipherstate: all bits zero. | |||

encryption function: as follows, where E() is AES encryption in | encryption function: as follows, where E() is AES encryption in | |||

CBC-CS3 mode, and h is the size of truncated HMAC. | CBC-CS3 mode, and h is the size of truncated HMAC (128 bits or | |||

192 bits as described above). | ||||

N = random nonce of length 128 bits (the AES block size) | N = random nonce of length 128 bits (the AES block size) | |||

IV = cipherstate | IV = cipherstate | |||

C = E(Ke, N | plaintext, IV) | C = E(Ke, N | plaintext, IV) | |||

H = HMAC(Ki, IV | C) | H = HMAC(Ki, IV | C) | |||

ciphertext = C | H[1..h] | ciphertext = C | H[1..h] | |||

cipherstate = the last full (128 bit) block of C | cipherstate = the last full (128 bit) block of C | |||

(i.e. the next-to-last block if the last block | (i.e. the next-to-last block if the last block | |||

is not a full 128 bits) | is not a full 128 bits) | |||

skipping to change at page 7, line 4 | skipping to change at page 6, line 48 | |||

decryption function: as follows, where D() is AES decryption in | decryption function: as follows, where D() is AES decryption in | |||

CBC-CS3 mode, and h is the size of truncated HMAC. | CBC-CS3 mode, and h is the size of truncated HMAC. | |||

(C, H) = ciphertext | (C, H) = ciphertext | |||

IV = cipherstate | IV = cipherstate | |||

if H != HMAC(Ki, IV | C)[1..h] | if H != HMAC(Ki, IV | C)[1..h] | |||

stop, report error | stop, report error | |||

(N, P) = D(Ke, C, IV) | (N, P) = D(Ke, C, IV) | |||

Note: N is set to the first block of the decryption output, | Note: N is set to the first block of the decryption output, | |||

P is set to the rest of the output. | P is set to the rest of the output. | |||

cipherstate = the last full (128 bit) block of C | cipherstate = the last full (128 bit) block of C | |||

(i.e. the next-to-last block if the last block | (i.e. the next-to-last block if the last block | |||

is not a full 128 bits) | is not a full 128 bits) | |||

pseudo-random function: | pseudo-random function: | |||

If the enctype is aes128-cts-hmac-sha256-128: | If the enctype is aes128-cts-hmac-sha256-128: | |||

k = 128 | PRF = KDF-HMAC-SHA2(base-key, "prf" | octet-string, 256) | |||

If the enctype is aes256-cts-hmac-sha384-192: | If the enctype is aes256-cts-hmac-sha384-192: | |||

k = 256 | PRF = KDF-HMAC-SHA2(base-key, "prf" | octet-string, 384) | |||

Kp = KDF-HMAC-SHA2(base-key, "prf") | ||||

PRF = k-truncate(HMAC-SHA2(Kp, octet-string)) | ||||

where SHA2 is SHA-256 if the enctype is | where "prf" is the octet-string 0x707266 | |||

aes128-cts-hmac-sha256-128, | ||||

and is SHA-384 if the enctype is aes256-cts-hmac-sha384-192. | ||||

6. Checksum Parameters | 6. Checksum Parameters | |||

The following parameters apply to the checksum types hmac-sha256-128- | The following parameters apply to the checksum types hmac-sha256-128- | |||

aes128 and hmac-sha384-192-aes256, which are the associated checksums | aes128 and hmac-sha384-192-aes256, which are the associated checksums | |||

for aes128-cts-hmac-sha256-128 and aes256-cts-hmac-sha384-192, | for aes128-cts-hmac-sha256-128 and aes256-cts-hmac-sha384-192, | |||

respectively. | respectively. | |||

associated cryptosystem: AES-128-CTS or AES-256-CTS as appropriate. | associated cryptosystem: AES-128-CTS or AES-256-CTS as appropriate. | |||

get_mic: HMAC(Kc, message)[1..h]. | get_mic: HMAC(Kc, message)[1..h]. | |||

where h is 128 bits for checksum type hmac-sha256-128-aes128 | ||||

and 192 bits for checksum type hmac-sha384-192-aes256 | ||||

verify_mic: get_mic and compare. | verify_mic: get_mic and compare. | |||

7. IANA Considerations | 7. IANA Considerations | |||

IANA is requested to assign: | IANA is requested to assign: | |||

Encryption type numbers for aes128-cts-hmac-sha256-128 and | Encryption type numbers for aes128-cts-hmac-sha256-128 and | |||

aes256-cts-hmac-sha384-192 in the Kerberos Encryption Type Numbers | aes256-cts-hmac-sha384-192 in the Kerberos Encryption Type Numbers | |||

registry. | registry. | |||

Etype encryption type Reference | Etype Encryption type Reference | |||

----- --------------- --------- | ----- --------------- --------- | |||

TBD1 aes128-cts-hmac-sha256-128 [this document] | TBD1 aes128-cts-hmac-sha256-128 [this document] | |||

TBD2 aes256-cts-hmac-sha384-192 [this document] | TBD2 aes256-cts-hmac-sha384-192 [this document] | |||

Checksum type numbers for hmac-sha256-128-aes128 and hmac-sha384-192- | Checksum type numbers for hmac-sha256-128-aes128 and hmac-sha384-192- | |||

aes256 in the Kerberos Checksum Type Numbers registry. | aes256 in the Kerberos Checksum Type Numbers registry. | |||

Sumtype Checksum type Size Reference | Sumtype Checksum type Size Reference | |||

------- ------------- ---- --------- | ------- ------------- ---- --------- | |||

TBD3 hmac-sha256-128-aes128 16 [this document] | TBD3 hmac-sha256-128-aes128 16 [this document] | |||

skipping to change at page 9, line 8 | skipping to change at page 8, line 47 | |||

password at two KDCs to get the same keys. If each KDC uses a random | password at two KDCs to get the same keys. If each KDC uses a random | |||

salt, they won't have the same keys. | salt, they won't have the same keys. | |||

* Random salts may interfere with password history checking. | * Random salts may interfere with password history checking. | |||

* ktutil's add_entry command assumes the default salt. | * ktutil's add_entry command assumes the default salt. | |||

8.2. Algorithm Rationale | 8.2. Algorithm Rationale | |||

This document has been written to be consistent with common | This document has been written to be consistent with common | |||

implementations of AES and SHA-2. The encryption and hash algorithm | implementations of AES and SHA-2. The encryption and hash algorithm | |||

sizes have been chosen to create a consistent level of protection, | sizes have been chosen to create a consistent level of protection, | |||

with consideration to implementation efficiencies. So, for instance, | with consideration to implementation efficiencies. So, for instance, | |||

SHA-384, which would normally be matched to AES-192, is instead | SHA-384, which would normally be matched to AES-192, is instead | |||

matched to AES-256 to leverage the fact that there are efficient | matched to AES-256 to leverage the fact that there are efficient | |||

hardware implementations of AES-256. Note that, as indicated by the | hardware implementations of AES-256. Note that, as indicated by the | |||

enc-type name "aes256-cts-hmac-sha384-192", the use of SHA-384 and | enc-type name "aes256-cts-hmac-sha384-192", the truncation of the | |||

AES-256 with a 192-bit key provides only a 192-bit level of security. | HMAC-SHA-384 output to 192-bits results in an overall 192-bit level | |||

of security. | ||||

9. Acknowledgements | 9. Acknowledgements | |||

Kelley Burgin was employed at the National Security Agency during | Kelley Burgin was employed at the National Security Agency during | |||

much of the work on this document. | much of the work on this document. | |||

10. References | 10. References | |||

10.1. Normative References | 10.1. Normative References | |||

skipping to change at page 11, line 4 | skipping to change at page 10, line 46 | |||

45 BD 80 6D BF 6A 83 3A 9C FF C1 C9 45 89 A2 22 | 45 BD 80 6D BF 6A 83 3A 9C FF C1 C9 45 89 A2 22 | |||

36 7A 79 BC 21 C4 13 71 89 06 E9 F5 78 A7 84 67 | 36 7A 79 BC 21 C4 13 71 89 06 E9 F5 78 A7 84 67 | |||

Sample results for key derivation: | Sample results for key derivation: | |||

---------------------------------- | ---------------------------------- | |||

enctype aes128-cts-hmac-sha256-128: | enctype aes128-cts-hmac-sha256-128: | |||

128-bit base-key: | 128-bit base-key: | |||

37 05 D9 60 80 C1 77 28 A0 E8 00 EA B6 E0 D2 3C | 37 05 D9 60 80 C1 77 28 A0 E8 00 EA B6 E0 D2 3C | |||

Kc value for key usage 2 (constant = 0x0000000299): | Kc value for key usage 2 (constant = 0x0000000299): | |||

B3 1A 01 8A 48 F5 47 76 F4 03 E9 A3 96 32 5D C3 | B3 1A 01 8A 48 F5 47 76 F4 03 E9 A3 96 32 5D C3 | |||

Ke value for key usage 2 (constant = 0x00000002AA): | Ke value for key usage 2 (constant = 0x00000002AA): | |||

9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E | 9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E | |||

Ki value for key usage 2 (constant = 0x0000000255): | Ki value for key usage 2 (constant = 0x0000000255): | |||

9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C | 9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C | |||

Kp value (constant = 0x707266): | ||||

9C 66 77 98 08 4F 16 82 1E 77 15 DD 5A A6 EB 71 | ||||

enctype aes256-cts-hmac-sha384-192: | enctype aes256-cts-hmac-sha384-192: | |||

256-bit base-key: | 256-bit base-key: | |||

6D 40 4D 37 FA F7 9F 9D F0 D3 35 68 D3 20 66 98 | 6D 40 4D 37 FA F7 9F 9D F0 D3 35 68 D3 20 66 98 | |||

00 EB 48 36 47 2E A8 A0 26 D1 6B 71 82 46 0C 52 | 00 EB 48 36 47 2E A8 A0 26 D1 6B 71 82 46 0C 52 | |||

Kc value for key usage 2 (constant = 0x0000000299): | Kc value for key usage 2 (constant = 0x0000000299): | |||

EF 57 18 BE 86 CC 84 96 3D 8B BB 50 31 E9 F5 C4 | EF 57 18 BE 86 CC 84 96 3D 8B BB 50 31 E9 F5 C4 | |||

BA 41 F2 8F AF 69 E7 3D | BA 41 F2 8F AF 69 E7 3D | |||

Ke value for key usage 2 (constant = 0x00000002AA): | Ke value for key usage 2 (constant = 0x00000002AA): | |||

56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 | 56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 | |||

A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 | A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 | |||

Ki value for key usage 2 (constant = 0x0000000255): | Ki value for key usage 2 (constant = 0x0000000255): | |||

skipping to change at page 11, line 26 | skipping to change at page 11, line 17 | |||

00 EB 48 36 47 2E A8 A0 26 D1 6B 71 82 46 0C 52 | 00 EB 48 36 47 2E A8 A0 26 D1 6B 71 82 46 0C 52 | |||

Kc value for key usage 2 (constant = 0x0000000299): | Kc value for key usage 2 (constant = 0x0000000299): | |||

EF 57 18 BE 86 CC 84 96 3D 8B BB 50 31 E9 F5 C4 | EF 57 18 BE 86 CC 84 96 3D 8B BB 50 31 E9 F5 C4 | |||

BA 41 F2 8F AF 69 E7 3D | BA 41 F2 8F AF 69 E7 3D | |||

Ke value for key usage 2 (constant = 0x00000002AA): | Ke value for key usage 2 (constant = 0x00000002AA): | |||

56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 | 56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 | |||

A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 | A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 | |||

Ki value for key usage 2 (constant = 0x0000000255): | Ki value for key usage 2 (constant = 0x0000000255): | |||

69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 | 69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 | |||

22 C4 D0 0F FC 23 ED 1F | 22 C4 D0 0F FC 23 ED 1F | |||

Kp value (constant = 0x707266): | ||||

5D 63 0D B7 EF DE 37 DE 9C 92 03 C5 2B D9 6C 77 | ||||

31 BE 1C 5B DD 50 DC 75 44 D9 60 AF F3 CC 23 04 | ||||

Sample pseudorandom function (PRF) invocations: | ||||

---------------------------------------- | ||||

PRF input octet-string: "test" (0x74657374) | ||||

enctype aes128-cts-hmac-sha256-128: | ||||

Kp value: | ||||

9C 66 77 98 08 4F 16 82 1E 77 15 DD 5A A6 EB 71 | ||||

PRF output: | ||||

3A CA 18 6C C1 26 56 76 5C FE B1 D2 2D 1C B1 36 | ||||

enctype aes256-cts-hmac-sha384-192: | ||||

Kp value: | ||||

5D 63 0D B7 EF DE 37 DE 9C 92 03 C5 2B D9 6C 77 | ||||

31 BE 1C 5B DD 50 DC 75 44 D9 60 AF F3 CC 23 04 | ||||

PRF output: | ||||

01 72 03 F2 90 CD 16 6C D6 B2 BB 4F 18 7D 16 23 | ||||

6B 9A 4E D7 66 19 D8 11 6C 64 06 A3 37 E7 F9 08 | ||||

Sample encryptions (all using the default cipher state): | Sample encryptions (all using the default cipher state): | |||

-------------------------------------------------------- | -------------------------------------------------------- | |||

These sample encryptions use the above sample key | ||||

derivation results, including use of the same | ||||

base-key and key usage values. | ||||

The following test vectors are for | The following test vectors are for | |||

enctype aes128-cts-hmac-sha256-128: | enctype aes128-cts-hmac-sha256-128: | |||

Plaintext: (empty) | Plaintext: (empty) | |||

Confounder: | Confounder: | |||

7E 58 95 EA F2 67 24 35 BA D8 17 F5 45 A3 71 48 | 7E 58 95 EA F2 67 24 35 BA D8 17 F5 45 A3 71 48 | |||

128-bit AES key: | 128-bit AES key (Ke): | |||

9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E | 9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E | |||

128-bit HMAC key: | 128-bit HMAC key (Ki): | |||

9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C | 9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C | |||

AES Output: | AES Output: | |||

EF 85 FB 89 0B B8 47 2F 4D AB 20 39 4D CA 78 1D | EF 85 FB 89 0B B8 47 2F 4D AB 20 39 4D CA 78 1D | |||

Truncated HMAC Output: | Truncated HMAC Output: | |||

AD 87 7E DA 39 D5 0C 87 0C 0D 5A 0A 8E 48 C7 18 | AD 87 7E DA 39 D5 0C 87 0C 0D 5A 0A 8E 48 C7 18 | |||

Ciphertext (AES Output | HMAC Output): | Ciphertext (AES Output | HMAC Output): | |||

EF 85 FB 89 0B B8 47 2F 4D AB 20 39 4D CA 78 1D | EF 85 FB 89 0B B8 47 2F 4D AB 20 39 4D CA 78 1D | |||

AD 87 7E DA 39 D5 0C 87 0C 0D 5A 0A 8E 48 C7 18 | AD 87 7E DA 39 D5 0C 87 0C 0D 5A 0A 8E 48 C7 18 | |||

Plaintext: (length less than block size) | Plaintext: (length less than block size) | |||

00 01 02 03 04 05 | 00 01 02 03 04 05 | |||

Confounder: | Confounder: | |||

7B CA 28 5E 2F D4 13 0F B5 5B 1A 5C 83 BC 5B 24 | 7B CA 28 5E 2F D4 13 0F B5 5B 1A 5C 83 BC 5B 24 | |||

128-bit AES key: | 128-bit AES key (Ke): | |||

4E FD A6 52 4E 6B 56 B4 F2 12 61 FB FC 93 21 AB | 9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E | |||

128-bit HMAC key: | 128-bit HMAC key (Ki): | |||

29 1B 0C 37 73 D7 6E E6 BA 2C CF 1E 03 93 F6 3E | 9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C | |||

AES Output: | AES Output: | |||

AB 70 F4 BA 9D 76 55 AF 24 B5 76 E4 6E FB 7A 98 | 84 D7 F3 07 54 ED 98 7B AB 0B F3 50 6B EB 09 CF | |||

F1 4B 93 65 9D 1B | B5 54 02 CE F7 E6 | |||

Truncated HMAC Output: | Truncated HMAC Output: | |||

A0 C5 F4 7C AA 84 42 19 F9 08 AD ED EF 52 5B 71 | 87 7C E9 9E 24 7E 52 D1 6E D4 42 1D FD F8 97 6C | |||

Ciphertext: | Ciphertext: | |||

AB 70 F4 BA 9D 76 55 AF 24 B5 76 E4 6E FB 7A 98 | 84 D7 F3 07 54 ED 98 7B AB 0B F3 50 6B EB 09 CF | |||

F1 4B 93 65 9D 1B A0 C5 F4 7C AA 84 42 19 F9 08 | B5 54 02 CE F7 E6 87 7C E9 9E 24 7E 52 D1 6E D4 | |||

AD ED EF 52 5B 71 | 42 1D FD F8 97 6C | |||

Plaintext: (length equals block size) | Plaintext: (length equals block size) | |||

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | |||

Confounder: | Confounder: | |||

56 AB 21 71 3F F6 2C 0A 14 57 20 0F 6F A9 94 8F | 56 AB 21 71 3F F6 2C 0A 14 57 20 0F 6F A9 94 8F | |||

128-bit AES key: | 128-bit AES key (Ke): | |||

FF 82 40 42 4B CC BA 05 56 50 C0 39 3B 83 DF 3B | 9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E | |||

128-bit HMAC key: | 128-bit HMAC key (Ki): | |||

ED 15 62 8B 45 35 8C BF 7F 50 E7 64 C2 6B 8A 1A | 9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C | |||

AES Output: | AES Output: | |||

E7 34 8E 74 86 E5 A7 87 0F 51 2E 65 CA C8 65 75 | 35 17 D6 40 F5 0D DC 8A D3 62 87 22 B3 56 9D 2A | |||

78 26 FF C0 EA 5B 28 A8 B9 60 8B B3 08 CD E2 CC | E0 74 93 FA 82 63 25 40 80 EA 65 C1 00 8E 8F C2 | |||

Truncated HMAC Output: | Truncated HMAC Output: | |||

C1 85 4E F2 F3 4D 02 35 4E C7 AA 53 BE 03 BE D5 | 95 FB 48 52 E7 D8 3E 1E 7C 48 C3 7E EB E6 B0 D3 | |||

Ciphertext: | Ciphertext: | |||

E7 34 8E 74 86 E5 A7 87 0F 51 2E 65 CA C8 65 75 | 35 17 D6 40 F5 0D DC 8A D3 62 87 22 B3 56 9D 2A | |||

78 26 FF C0 EA 5B 28 A8 B9 60 8B B3 08 CD E2 CC | E0 74 93 FA 82 63 25 40 80 EA 65 C1 00 8E 8F C2 | |||

C1 85 4E F2 F3 4D 02 35 4E C7 AA 53 BE 03 BE D5 | 95 FB 48 52 E7 D8 3E 1E 7C 48 C3 7E EB E6 B0 D3 | |||

Plaintext: (length greater than block size) | Plaintext: (length greater than block size) | |||

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | |||

10 11 12 13 14 | 10 11 12 13 14 | |||

Confounder: | Confounder: | |||

A7 A4 E2 9A 47 28 CE 10 66 4F B6 4E 49 AD 3F AC | A7 A4 E2 9A 47 28 CE 10 66 4F B6 4E 49 AD 3F AC | |||

128-bit AES key: | 128-bit AES key (Ke): | |||

B5 9B 88 75 AD 5D CA FF F7 79 4D 93 F8 19 9D 79 | 9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E | |||

128-bit HMAC key: | 128-bit HMAC key (Ki): | |||

0A 42 1D 72 2F 8F C2 D6 84 8B 1C DA D1 5A 49 C9 | 9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C | |||

AES Output: | AES Output: | |||

C3 53 72 86 FF 9C FE 49 8D 2E FC FC 99 6D AC 2D | 72 0F 73 B1 8D 98 59 CD 6C CB 43 46 11 5C D3 36 | |||

52 CA 56 03 B3 E8 68 EA 1E 9C 54 E8 2A E5 CE 7A | C7 0F 58 ED C0 C4 43 7C 55 73 54 4C 31 C8 13 BC | |||

79 3E 21 09 7D | E1 E6 D0 72 C1 | |||

Truncated HMAC Output: | Truncated HMAC Output: | |||

5B 03 5D 78 A7 E9 84 75 EC 91 0C E3 7A A0 2A 7D | 86 B3 9A 41 3C 2F 92 CA 9B 83 34 A2 87 FF CB FC | |||

Ciphertext: | Ciphertext: | |||

C3 53 72 86 FF 9C FE 49 8D 2E FC FC 99 6D AC 2D | 72 0F 73 B1 8D 98 59 CD 6C CB 43 46 11 5C D3 36 | |||

52 CA 56 03 B3 E8 68 EA 1E 9C 54 E8 2A E5 CE 7A | C7 0F 58 ED C0 C4 43 7C 55 73 54 4C 31 C8 13 BC | |||

79 3E 21 09 7D 5B 03 5D 78 A7 E9 84 75 EC 91 0C | E1 E6 D0 72 C1 86 B3 9A 41 3C 2F 92 CA 9B 83 34 | |||

E3 7A A0 2A 7D | A2 87 FF CB FC | |||

The following test vectors are for enctype | The following test vectors are for enctype | |||

aes256-cts-hmac-sha384-192: | aes256-cts-hmac-sha384-192: | |||

Plaintext: (empty) | Plaintext: (empty) | |||

Confounder: | Confounder: | |||

F7 64 E9 FA 15 C2 76 47 8B 2C 7D 0C 4E 5F 58 E4 | F7 64 E9 FA 15 C2 76 47 8B 2C 7D 0C 4E 5F 58 E4 | |||

256-bit AES key: | 256-bit AES key (Ke): | |||

0F A2 0D 7D 03 33 EE 65 16 2C DA 67 E7 AD 0D 3C | 56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 | |||

5E 03 1F 3B 66 70 E0 31 28 2F AC C2 87 9C 21 C7 | A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 | |||

192-bit HMAC key: | 192-bit HMAC key (Ki): | |||

53 BF 30 6A 68 33 A3 25 18 FC B8 5F 63 1D 03 D5 | 69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 | |||

2E E3 1B 39 75 2F 57 ED | 22 C4 D0 0F FC 23 ED 1F | |||

AES Output: | AES Output: | |||

FE 6A 55 14 F3 99 7C 8C AA F2 2D 8E EE 28 6D 7D | 41 F5 3F A5 BF E7 02 6D 91 FA F9 BE 95 91 95 A0 | |||

Truncated HMAC Output: | Truncated HMAC Output: | |||

81 1E AD AE DA 7F B9 75 AD 96 C0 07 5A 98 83 F9 | 58 70 72 73 A9 6A 40 F0 A0 19 60 62 1A C6 12 74 | |||

AC 3A AB 06 97 FC E8 5A | 8B 9B BF BE 7E B4 CE 3C | |||

Ciphertext: | Ciphertext: | |||

FE 6A 55 14 F3 99 7C 8C AA F2 2D 8E EE 28 6D 7D | 41 F5 3F A5 BF E7 02 6D 91 FA F9 BE 95 91 95 A0 | |||

81 1E AD AE DA 7F B9 75 AD 96 C0 07 5A 98 83 F9 | 58 70 72 73 A9 6A 40 F0 A0 19 60 62 1A C6 12 74 | |||

AC 3A AB 06 97 FC E8 5A | 8B 9B BF BE 7E B4 CE 3C | |||

Plaintext: (length less than block size) | Plaintext: (length less than block size) | |||

00 01 02 03 04 05 | 00 01 02 03 04 05 | |||

Confounder: | Confounder: | |||

B8 0D 32 51 C1 F6 47 14 94 25 6F FE 71 2D 0B 9A | B8 0D 32 51 C1 F6 47 14 94 25 6F FE 71 2D 0B 9A | |||

256-bit AES key: | 256-bit AES key (Ke): | |||

47 DA 4C A2 8B D1 C1 14 D5 50 7E 55 81 86 CA 4F | 56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 | |||

DB A0 DA E5 B2 4F 6D 68 89 D5 3A FB F1 D0 B8 36 | A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 | |||

192-bit HMAC key: | 192-bit HMAC key (Ki): | |||

13 6B 5C 83 C9 53 AE 29 E2 C2 31 6A 7B 34 B8 C2 | 69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 | |||

AD 26 E4 66 7F AB 42 6E | 22 C4 D0 0F FC 23 ED 1F | |||

AES Output: | AES Output: | |||

14 78 CF 26 BA 5E 7D 3A 9D C7 99 7A 80 10 76 2C | 4E D7 B3 7C 2B CA C8 F7 4F 23 C1 CF 07 E6 2B C7 | |||

74 3B D4 BC 22 EC | B7 5F B3 F6 37 B9 | |||

Truncated HMAC Output: | Truncated HMAC Output: | |||

17 2A B2 BB 12 B0 0D BE C2 BF E6 29 CF DD 62 EC | F5 59 C7 F6 64 F6 9E AB 7B 60 92 23 75 26 EA 0D | |||

3E 45 83 8F A9 FB AE 6E | 1F 61 CB 20 D6 9D 10 F2 | |||

Ciphertext: | Ciphertext: | |||

14 78 CF 26 BA 5E 7D 3A 9D C7 99 7A 80 10 76 2C | 4E D7 B3 7C 2B CA C8 F7 4F 23 C1 CF 07 E6 2B C7 | |||

74 3B D4 BC 22 EC 17 2A B2 BB 12 B0 0D BE C2 BF | B7 5F B3 F6 37 B9 F5 59 C7 F6 64 F6 9E AB 7B 60 | |||

E6 29 CF DD 62 EC 3E 45 83 8F A9 FB AE 6E | 92 23 75 26 EA 0D 1F 61 CB 20 D6 9D 10 F2 | |||

Plaintext: (length equals block size) | Plaintext: (length equals block size) | |||

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | |||

Confounder: | Confounder: | |||

53 BF 8A 0D 10 52 65 D4 E2 76 42 86 24 CE 5E 63 | 53 BF 8A 0D 10 52 65 D4 E2 76 42 86 24 CE 5E 63 | |||

256-bit AES key: | 256-bit AES key (Ke): | |||

5E A6 16 D8 FD A2 33 F1 B4 99 79 A4 B9 FA 01 D3 | 56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 | |||

21 B1 3D 6F BD 6E 3B B7 2E 54 B4 85 E2 36 AF 23 | A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 | |||

192-bit HMAC key: | 192-bit HMAC key (Ki): | |||

AD D3 8D C9 86 83 C5 CC 14 E3 C7 37 EA A7 06 47 | ||||

B3 19 71 0E 87 6A 38 77 | 69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 | |||

22 C4 D0 0F FC 23 ED 1F | ||||

AES Output: | AES Output: | |||

B6 0B 6A A6 00 C2 D8 4B 03 A6 1C 18 DD A7 05 F0 | BC 47 FF EC 79 98 EB 91 E8 11 5C F8 D1 9D AC 4B | |||

FE 90 B9 36 B8 8C 4F EA 06 D7 1A 99 35 75 28 60 | BB E2 E1 63 E8 7D D3 7F 49 BE CA 92 02 77 64 F6 | |||

Truncated HMAC Output: | Truncated HMAC Output: | |||

2F E5 BD 6E 41 78 17 D6 2A D2 C9 CF 50 8D FA E1 | 8C F5 1F 14 D7 98 C2 27 3F 35 DF 57 4D 1F 93 2E | |||

B3 C9 6F 4B 45 C1 9B 77 | 40 C4 FF 25 5B 36 A2 66 | |||

Ciphertext: | Ciphertext: | |||

B6 0B 6A A6 00 C2 D8 4B 03 A6 1C 18 DD A7 05 F0 | BC 47 FF EC 79 98 EB 91 E8 11 5C F8 D1 9D AC 4B | |||

FE 90 B9 36 B8 8C 4F EA 06 D7 1A 99 35 75 28 60 | BB E2 E1 63 E8 7D D3 7F 49 BE CA 92 02 77 64 F6 | |||

2F E5 BD 6E 41 78 17 D6 2A D2 C9 CF 50 8D FA E1 | 8C F5 1F 14 D7 98 C2 27 3F 35 DF 57 4D 1F 93 2E | |||

B3 C9 6F 4B 45 C1 9B 77 | 40 C4 FF 25 5B 36 A2 66 | |||

Plaintext: (length greater than block size) | Plaintext: (length greater than block size) | |||

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | |||

10 11 12 13 14 | 10 11 12 13 14 | |||

Confounder: | Confounder: | |||

76 3E 65 36 7E 86 4F 02 F5 51 53 C7 E3 B5 8A F1 | 76 3E 65 36 7E 86 4F 02 F5 51 53 C7 E3 B5 8A F1 | |||

256-bit AES key (Ke): | ||||

256-bit AES key: | 56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 | |||

B3 A8 02 E3 40 61 3E F1 E0 EC E9 1A 15 7C 59 12 | A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 | |||

6F BD C4 B8 C2 4C 8D 0B 2E 5A 30 F0 1E 7E 34 88 | 192-bit HMAC key (Ki): | |||

192-bit HMAC key: | 69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 | |||

FC 0B 49 9B 83 55 A3 2A C3 C9 AC B6 64 93 63 EB | 22 C4 D0 0F FC 23 ED 1F | |||

5D BB A4 25 1A 75 B2 0A | ||||

AES Output: | AES Output: | |||

4C F9 8B 5E DA 0D 94 9F B3 8E CD 67 DE 80 0F 79 | 40 01 3E 2D F5 8E 87 51 95 7D 28 78 BC D2 D6 FE | |||

46 19 F9 EA CB 30 54 33 50 6B 9A D4 48 4B D9 5B | 10 1C CF D5 56 CB 1E AE 79 DB 3C 3E E8 64 29 F2 | |||

E0 55 F5 69 EB | B2 A6 02 AC 86 | |||

Truncated HMAC Output: | Truncated HMAC Output: | |||

7C F8 36 70 75 8C BF DA 31 3C FE F8 74 2B 11 74 | FE F6 EC B6 47 D6 29 5F AE 07 7A 1F EB 51 75 08 | |||

14 A7 DD 12 B4 96 64 2E | D2 C1 6B 41 92 E0 1F 62 | |||

Ciphertext: | Ciphertext: | |||

4C F9 8B 5E DA 0D 94 9F B3 8E CD 67 DE 80 0F 79 | 40 01 3E 2D F5 8E 87 51 95 7D 28 78 BC D2 D6 FE | |||

46 19 F9 EA CB 30 54 33 50 6B 9A D4 48 4B D9 5B | 10 1C CF D5 56 CB 1E AE 79 DB 3C 3E E8 64 29 F2 | |||

E0 55 F5 69 EB 7C F8 36 70 75 8C BF DA 31 3C FE | B2 A6 02 AC 86 FE F6 EC B6 47 D6 29 5F AE 07 7A | |||

F8 74 2B 11 74 14 A7 DD 12 B4 96 64 2E | 1F EB 51 75 08 D2 C1 6B 41 92 E0 1F 62 | |||

Sample checksums: | Sample checksums: | |||

----------------- | ----------------- | |||

These sample checksums use the above sample key | ||||

derivation results, including use of the same | ||||

base-key and key usage values. | ||||

Checksum type: hmac-sha256-128-aes128 | Checksum type: hmac-sha256-128-aes128 | |||

128-bit HMAC key: | 128-bit HMAC key (Kc): | |||

B3 1A 01 8A 48 F5 47 76 F4 03 E9 A3 96 32 5D C3 | B3 1A 01 8A 48 F5 47 76 F4 03 E9 A3 96 32 5D C3 | |||

Plaintext: | Plaintext: | |||

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | |||

10 11 12 13 14 | 10 11 12 13 14 | |||

Checksum: | Checksum: | |||

D7 83 67 18 66 43 D6 7B 41 1C BA 91 39 FC 1D EE | D7 83 67 18 66 43 D6 7B 41 1C BA 91 39 FC 1D EE | |||

Checksum type: hmac-sha384-192-aes256 | Checksum type: hmac-sha384-192-aes256 | |||

192-bit HMAC key: | 192-bit HMAC key (Kc): | |||

EF 57 18 BE 86 CC 84 96 3D 8B BB 50 31 E9 F5 C4 | EF 57 18 BE 86 CC 84 96 3D 8B BB 50 31 E9 F5 C4 | |||

BA 41 F2 8F AF 69 E7 3D | BA 41 F2 8F AF 69 E7 3D | |||

Plaintext: | Plaintext: | |||

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | |||

10 11 12 13 14 | 10 11 12 13 14 | |||

Checksum: | Checksum: | |||

45 EE 79 15 67 EE FC A3 7F 4A C1 E0 22 2D E8 0D | 45 EE 79 15 67 EE FC A3 7F 4A C1 E0 22 2D E8 0D | |||

43 C3 BF A0 66 99 67 2A | 43 C3 BF A0 66 99 67 2A | |||

Sample pseudorandom function (PRF) invocations: | ||||

---------------------------------------- | ||||

PRF input octet-string: "test" (0x74657374) | ||||

enctype aes128-cts-hmac-sha256-128: | ||||

base-key value / HMAC-SHA-256 key: | ||||

37 05 D9 60 80 C1 77 28 A0 E8 00 EA B6 E0 D2 3C | ||||

HMAC-SHA-256 input message: | ||||

00 00 00 01 70 72 66 74 65 73 74 00 00 00 01 00 | ||||

PRF output: | ||||

14 11 15 B0 A6 CB 9A 1D CB B4 C7 E2 5B 43 32 22 | ||||

52 DE 58 11 21 85 C5 DC F5 12 5E 7B 81 54 8D 39 | ||||

enctype aes256-cts-hmac-sha384-192: | ||||

base-key value / HMAC-SHA-384 key: | ||||

6D 40 4D 37 FA F7 9F 9D F0 D3 35 68 D3 20 66 98 | ||||

00 EB 48 36 47 2E A8 A0 26 D1 6B 71 82 46 0C 52 | ||||

HMAC-SHA-384 input message: | ||||

00 00 00 01 70 72 66 74 65 73 74 00 00 00 01 80 | ||||

PRF output: | ||||

31 0A 4B 5C D2 90 F7 04 33 B2 A1 A1 D0 93 FD F7 | ||||

8C 6C 9D AE 5C AC D3 A7 BD 45 CB 67 44 41 99 43 | ||||

0D 36 19 06 44 E8 A2 16 66 43 AE AD E9 63 87 52 | ||||

Authors' Addresses | Authors' Addresses | |||

Michael J. Jenkins | Michael J. Jenkins | |||

National Security Agency | National Security Agency | |||

EMail: mjjenki@tycho.ncsc.mil | EMail: mjjenki@tycho.ncsc.mil | |||

Michael A. Peck | Michael A. Peck | |||

The MITRE Corporation | The MITRE Corporation | |||

End of changes. 70 change blocks. | ||||

194 lines changed or deleted | | 194 lines changed or added | ||

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |