| rfc8645v3.txt | rfc8645.txt | |||
|---|---|---|---|---|
| skipping to change at page 1, line 31 ¶ | skipping to change at page 1, line 31 ¶ | |||
| in the IRTF. | in the IRTF. | |||
| Status of This Memo | Status of This Memo | |||
| This document is not an Internet Standards Track specification; it is | This document is not an Internet Standards Track specification; it is | |||
| published for informational purposes. | published for informational purposes. | |||
| This document is a product of the Internet Research Task Force | This document is a product of the Internet Research Task Force | |||
| (IRTF). The IRTF publishes the results of Internet-related research | (IRTF). The IRTF publishes the results of Internet-related research | |||
| and development activities. These results might not be suitable for | and development activities. These results might not be suitable for | |||
| deployment. This RFC represents the consensus of the CFRG Research | deployment. This RFC represents the consensus of the Crypto Forum | |||
| Group of the Internet Research Task Force (IRTF). Documents approved | Research Group of the Internet Research Task Force (IRTF). Documents | |||
| for publication by the IRSG are not candidates for any level of | approved for publication by the IRSG are not candidates for any level | |||
| Internet Standard; see Section 2 of RFC 7841. | of Internet Standard; see Section 2 of RFC 7841. | |||
| Information about the current status of this document, any errata, | Information about the current status of this document, any errata, | |||
| and how to provide feedback on it may be obtained at | and how to provide feedback on it may be obtained at | |||
| https://www.rfc-editor.org/info/rfc8645. | https://www.rfc-editor.org/info/rfc8645. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. | to this document. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2. Conventions Used in This Document . . . . . . . . . . . . . . 6 | 2. Conventions Used in This Document . . . . . . . . . . . . . . 7 | |||
| 3. Basic Terms and Definitions . . . . . . . . . . . . . . . . . 6 | 3. Basic Terms and Definitions . . . . . . . . . . . . . . . . . 7 | |||
| 4. Choosing Constructions and Security Parameters . . . . . . . 8 | 4. Choosing Constructions and Security Parameters . . . . . . . 9 | |||
| 5. External Re-keying Mechanisms . . . . . . . . . . . . . . . . 10 | 5. External Re-keying Mechanisms . . . . . . . . . . . . . . . . 11 | |||
| 5.1. Methods of Key Lifetime Control . . . . . . . . . . . . . 13 | 5.1. Methods of Key Lifetime Control . . . . . . . . . . . . . 14 | |||
| 5.2. Parallel Constructions . . . . . . . . . . . . . . . . . 13 | 5.2. Parallel Constructions . . . . . . . . . . . . . . . . . 14 | |||
| 5.2.1. Parallel Construction Based on a KDF on a Block | 5.2.1. Parallel Construction Based on a KDF on a Block | |||
| Cipher . . . . . . . . . . . . . . . . . . . . . . . 14 | Cipher . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 5.2.2. Parallel Construction Based on a KDF on a Hash | 5.2.2. Parallel Construction Based on a KDF on a Hash | |||
| Function . . . . . . . . . . . . . . . . . . . . . . 14 | Function . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 5.2.3. Tree-Based Construction . . . . . . . . . . . . . . . 15 | 5.2.3. Tree-Based Construction . . . . . . . . . . . . . . . 16 | |||
| 5.3. Serial Constructions . . . . . . . . . . . . . . . . . . 16 | 5.3. Serial Constructions . . . . . . . . . . . . . . . . . . 17 | |||
| 5.3.1. Serial Construction Based on a KDF on a Block Cipher 18 | 5.3.1. Serial Construction Based on a KDF on a Block Cipher 19 | |||
| 5.3.2. Serial Construction Based on a KDF on a Hash Function 18 | 5.3.2. Serial Construction Based on a KDF on a Hash Function 19 | |||
| 5.4. Using Additional Entropy during Re-keying . . . . . . . . 18 | 5.4. Using Additional Entropy during Re-keying . . . . . . . . 19 | |||
| 6. Internal Re-keying Mechanisms . . . . . . . . . . . . . . . . 19 | 6. Internal Re-keying Mechanisms . . . . . . . . . . . . . . . . 20 | |||
| 6.1. Methods of Key Lifetime Control . . . . . . . . . . . . . 21 | 6.1. Methods of Key Lifetime Control . . . . . . . . . . . . . 22 | |||
| 6.2. Constructions that Do Not Require a Master Key . . . . . 22 | 6.2. Constructions that Do Not Require a Master Key . . . . . 23 | |||
| 6.2.1. ACPKM Re-keying Mechanisms . . . . . . . . . . . . . 22 | 6.2.1. ACPKM Re-keying Mechanisms . . . . . . . . . . . . . 23 | |||
| 6.2.2. CTR-ACPKM Encryption Mode . . . . . . . . . . . . . . 24 | 6.2.2. CTR-ACPKM Encryption Mode . . . . . . . . . . . . . . 24 | |||
| 6.2.3. GCM-ACPKM Authenticated Encryption Mode . . . . . . . 26 | 6.2.3. GCM-ACPKM Authenticated Encryption Mode . . . . . . . 26 | |||
| 6.3. Constructions that Require a Master Key . . . . . . . . . 28 | 6.3. Constructions that Require a Master Key . . . . . . . . . 29 | |||
| 6.3.1. ACPKM-Master Key Derivation from the Master Key . . . 29 | 6.3.1. ACPKM-Master Key Derivation from the Master Key . . . 29 | |||
| 6.3.2. CTR-ACPKM-Master Encryption Mode . . . . . . . . . . 31 | 6.3.2. CTR-ACPKM-Master Encryption Mode . . . . . . . . . . 31 | |||
| 6.3.3. GCM-ACPKM-Master Authenticated Encryption Mode . . . 33 | 6.3.3. GCM-ACPKM-Master Authenticated Encryption Mode . . . 33 | |||
| 6.3.4. CBC-ACPKM-Master Encryption Mode . . . . . . . . . . 35 | 6.3.4. CBC-ACPKM-Master Encryption Mode . . . . . . . . . . 36 | |||
| 6.3.5. CFB-ACPKM-Master Encryption Mode . . . . . . . . . . 38 | 6.3.5. CFB-ACPKM-Master Encryption Mode . . . . . . . . . . 37 | |||
| 6.3.6. OMAC-ACPKM-Master Authentication Mode . . . . . . . . 40 | 6.3.6. OMAC-ACPKM-Master Authentication Mode . . . . . . . . 39 | |||
| 7. Joint Usage of External and Internal Re-keying . . . . . . . 41 | 7. Joint Usage of External and Internal Re-keying . . . . . . . 41 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 42 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 42 | |||
| 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 43 | 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 42 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 43 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 42 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . 43 | 10.1. Normative References . . . . . . . . . . . . . . . . . . 42 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . 44 | 10.2. Informative References . . . . . . . . . . . . . . . . . 44 | |||
| Appendix A. Test Examples . . . . . . . . . . . . . . . . . . . 46 | Appendix A. Test Examples . . . . . . . . . . . . . . . . . . . 47 | |||
| A.1. Test Examples for External Re-keying . . . . . . . . . . 46 | A.1. Test Examples for External Re-keying . . . . . . . . . . 47 | |||
| A.1.1. External Re-keying with a Parallel Construction . . . 47 | A.1.1. External Re-keying with a Parallel Construction . . . 47 | |||
| A.1.2. External Re-keying with a Serial Construction . . . . 48 | A.1.2. External Re-keying with a Serial Construction . . . . 48 | |||
| A.2. Test Examples for Internal Re-keying . . . . . . . . . . 51 | A.2. Test Examples for Internal Re-keying . . . . . . . . . . 51 | |||
| A.2.1. Internal Re-keying Mechanisms that Do Not | A.2.1. Internal Re-keying Mechanisms that Do Not | |||
| Require a Master Key . . . . . . . . . . . . . . . . 51 | Require a Master Key . . . . . . . . . . . . . . . . 51 | |||
| A.2.2. Internal Re-keying Mechanisms with a Master Key . . . 55 | A.2.2. Internal Re-keying Mechanisms with a Master Key . . . 55 | |||
| Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 67 | Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 67 | |||
| Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 67 | Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 67 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 68 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 68 | |||
| 1. Introduction | 1. Introduction | |||
| A certain maximum amount of data can be safely encrypted when | A certain maximum amount of data can be safely encrypted when | |||
| encryption is performed under a single key. Hereinafter, this amount | encryption is performed under a single key. Hereinafter, this amount | |||
| will be referred to as the "key lifetime". The need for such a | will be referred to as the "key lifetime". The need for such a | |||
| limitation is dictated by the following methods of cryptanalysis: | limitation is dictated by the following methods of cryptanalysis: | |||
| skipping to change at page 6, line 14 ¶ | skipping to change at page 7, line 12 ¶ | |||
| details). External or internal re-keying can be used in network | details). External or internal re-keying can be used in network | |||
| protocols as well as in the systems for data-at-rest encryption. | protocols as well as in the systems for data-at-rest encryption. | |||
| Depending on the concrete protocol characteristics, there might be | Depending on the concrete protocol characteristics, there might be | |||
| situations in which both external and internal re-keying mechanisms | situations in which both external and internal re-keying mechanisms | |||
| (see Section 7) can be applied. For example, a similar approach was | (see Section 7) can be applied. For example, a similar approach was | |||
| used in Taha's tree construction (see [TAHA]). | used in Taha's tree construction (see [TAHA]). | |||
| Note that there are key-updating (key regression) algorithms (e.g., | Note that there are key-updating (key regression) algorithms (e.g., | |||
| [FKK2005] and [KMNT2003]) that are called "re-keying" as well, but | [FKK2005] and [KMNT2003]) that are called "re-keying" as well, but | |||
| they pursue the goal without increasing the key lifetime. Therefore, | they pursue goals other than increasing the key lifetime. Therefore, | |||
| key regression algorithms are excluded from the considerations here. | key regression algorithms are excluded from the considerations here. | |||
| This document represents the consensus of the Crypto Forum Research | This document represents the consensus of the Crypto Forum Research | |||
| Group (CFRG). | Group (CFRG). | |||
| 2. Conventions Used in This Document | 2. Conventions Used in This Document | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | |||
| skipping to change at page 11, line 36 ¶ | skipping to change at page 12, line 33 ¶ | |||
| | | | | | | | | |||
| | | | | | | | | |||
| | | | | | | | | |||
| | | | | | | | | |||
| | | | | | | | | |||
| | | | | | | | | |||
| | | | | | | | | |||
| | L2| | | | L2| | | |||
| +----------------+ v | +----------------+ v | |||
| Figure 2: Basic Principles of Message Processing without External Re- | Figure 2: Basic Principles of Message Processing | |||
| keying | without External Re-keying | |||
| Suppose that the safety margin for the protocol P is fixed and the | Suppose that the safety margin for the protocol P is fixed and the | |||
| external re-keying approach is applied to the initial key K to | external re-keying approach is applied to the initial key K to | |||
| generate the sequence of frame keys. The frame keys are generated in | generate the sequence of frame keys. The frame keys are generated in | |||
| such a way that the leakage of a previous frame key does not have any | such a way that the leakage of a previous frame key does not have any | |||
| impact on the following one, so the side-channel limitation L1 is | impact on the following one, so the side-channel limitation L1 is | |||
| switched off. Thus, the resulting key lifetime limitation of the | switched off. Thus, the resulting key lifetime limitation of the | |||
| initial key K can be calculated on the basis of a new combinatorial | initial key K can be calculated on the basis of a new combinatorial | |||
| limitation L2'. It is proven (see [AbBell]) that the security of the | limitation L2'. It is proven (see [AbBell]) that the security of the | |||
| mode of operation that uses external re-keying leads to an increase | mode of operation that uses external re-keying leads to an increase | |||
| skipping to change at page 12, line 34 ¶ | skipping to change at page 13, line 31 ¶ | |||
| ... | . . . | | ... | . . . | | |||
| | | | | | | |||
| | | | | | | |||
| | L2| | | L2| | |||
| +----------------+ | +----------------+ | |||
| | | | | | | |||
| ... ... | ... ... | |||
| | L2'| | | L2'| | |||
| +----------------+ | +----------------+ | |||
| Figure 3: Basic Principles of Message Processing with External Re- | Figure 3: Basic Principles of Message Processing | |||
| keying | with External Re-keying | |||
| Note: The key transformation process is depicted in a simplified | Note: The key transformation process is depicted in a simplified | |||
| form. A specific approach (parallel and serial) is described below. | form. A specific approach (parallel and serial) is described below. | |||
| Consider an example. Let the message size in a protocol P be equal | Consider an example. Let the message size in a protocol P be equal | |||
| to 1 KB. Suppose L1 = 128 MB and L2 = 1 TB. Thus, if an external | to 1 KB. Suppose L1 = 128 MB and L2 = 1 TB. Thus, if an external | |||
| re-keying mechanism is not used, the initial key K must be | re-keying mechanism is not used, the initial key K must be | |||
| renegotiated after processing 128 MB / 1 KB = 131072 messages. | renegotiated after processing 128 MB / 1 KB = 131072 messages. | |||
| If an external re-keying mechanism is used, the key lifetime | If an external re-keying mechanism is used, the key lifetime | |||
| skipping to change at page 40, line 45 ¶ | skipping to change at page 40, line 22 ¶ | |||
| | - key K1. | | | - key K1. | | |||
| | Output: | | | Output: | | |||
| | - key SK. | | | - key SK. | | |||
| |-------------------------------------------------------------------| | |-------------------------------------------------------------------| | |||
| | 1. If r = n, then return K1 | | | 1. If r = n, then return K1 | | |||
| | 2. If r < n, then | | | 2. If r < n, then | | |||
| | if MSB_1(K1) = 0 | | | if MSB_1(K1) = 0 | | |||
| | return K1 << 1 | | | return K1 << 1 | | |||
| | else | | | else | | |||
| | return (K1 << 1) (xor) R_n | | | return (K1 << 1) (xor) R_n | | |||
| | | | ||||
| +-------------------------------------------------------------------+ | +-------------------------------------------------------------------+ | |||
| Here, R_n takes the following values: | Here, R_n takes the following values: | |||
| o n = 64: R_{64} = 0^{59} | 11011. | o n = 64: R_{64} = 0^{59} | 11011. | |||
| o n = 128: R_{128} = 0^{120} | 10000111. | o n = 128: R_{128} = 0^{120} | 10000111. | |||
| o n = 256: R_{256} = 0^{145} | 10000100101. | o n = 256: R_{256} = 0^{145} | 10000100101. | |||
| End of changes. 13 change blocks. | ||||
| 38 lines changed or deleted | 36 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||