Tech-invite3GPPspaceIETF RFCsSIP
929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 8645

Re-keying Mechanisms for Symmetric Keys

Pages: 69
Informational
Part 2 of 3 – Pages 20 to 43
First   Prev   Next

Top   ToC   RFC8645 - Page 20   prevText

6. Internal Re-keying Mechanisms

This section presents an approach to increasing the key lifetime by using a transformation of a data-processing key (section key) during each separate message processing. Each message is processed starting with the same key (the first section key), and each section key is updated after processing N bits of the message (section). This section provides internal re-keying mechanisms called ACPKM (Advanced Cryptographic Prolongation of Key Material) and ACPKM- Master that do not use a master key and use a master key, respectively. Such mechanisms are integrated into the base modes of operation and actually form new modes of operation. Therefore, they are called "internal re-keying" mechanisms in this document. Internal re-keying mechanisms are recommended to be used in protocols that process large single messages (e.g., CMS messages), since the maximum gain in increasing the key lifetime is achieved by increasing the length of a message, while it provides almost no increase in the number of messages that can be processed with one initial key. Internal re-keying increases the key lifetime through the following approach. Suppose protocol P uses some base mode of operation. Let L1 and L2 be a side channel and combinatorial limitations, respectively, and for some fixed number of messages q, let m1, m2 be the lengths of messages that can be safely processed with a single initial key K according to these limitations. Thus, the approach without re-keying (analogous to Section 5) yields a final key lifetime restriction equal to L1, and only q messages of the length m1 can be safely processed; see Figure 7.
Top   ToC   RFC8645 - Page 21
                K
                |
                v
      ^ +----------------+------------------------------------+
      | |==============L1|                                  L2|
      | |================|                                    |
      q |================|                                    |
      | |================|                                    |
      | |================|                                    |
      v +----------------+------------------------------------+
        <-------m1------->
        <----------------------------m2----------------------->

             Figure 7: Basic Principles of Message Processing
                        without Internal Re-keying

   Suppose that the safety margin for the protocol P is fixed and the
   internal re-keying approach is applied to the base mode of operation.
   Suppose further that every message is processed with a section key,
   which is transformed after processing N bits of data, where N is a
   parameter.  If q * N does not exceed L1, then the side-channel
   limitation L1 goes off, and the resulting key lifetime limitation of
   the initial key K can be calculated on the basis of a new
   combinatorial limitation L2'.  The security of the mode of operation
   that uses internal re-keying increases when compared to the base mode
   of operation without re-keying (thus, L2 < L2').  Hence, as displayed
   in Figure 8, the resulting key lifetime limitation if using internal
   re-keying can be increased up to L2'.

     K-----> K^1-------------> K^2 -----------> . . .
             |                 |
             v                 v
   ^ +---------------+---------------+------------------+--...--+
   | |=============L1|=============L1|======          L2|    L2'|
   | |===============|===============|======            |       |
   q |===============|===============|====== . . .      |       |
   | |===============|===============|======            |       |
   | |===============|===============|======            |       |
   v +---------------+---------------+------------------+--...--+
     <-------N------->

             Figure 8: Basic Principles of Message Processing
                          with Internal Re-keying

   Note: The key transformation process is depicted in a simplified
   form.  A specific approach (ACPKM and ACPKM-Master re-keying
   mechanisms) is described below.
Top   ToC   RFC8645 - Page 22
   Since the performance of encryption can slightly decrease for rather
   small values of N, the maximum possible value should be selected for
   parameter N for a particular protocol in order to provide the
   necessary key lifetime for the considered security models.

   Consider an example.  Suppose L1 = 128 MB and L2 = 10 TB.  Let the
   message size in the protocol be large/unlimited (which may exhaust
   the whole key lifetime L2).  The most restrictive resulting key
   lifetime limitation is equal to 128 MB.

   Thus, there is a need to put a limit on the maximum message size
   m_max.  For example, if m_max = 32 MB, it may happen that the
   renegotiation of initial key K would be required after processing
   only four messages.

   If an internal re-keying mechanism with section size N = 1 MB is
   used, more than L1 / N = 128 MB / 1 MB = 128 messages can be
   processed before the renegotiation of initial key K (instead of four
   messages when an internal re-keying mechanism is not used).  Note
   that only one section of each message is processed with the section
   key K^i, and, consequently, the key lifetime limitation L1 goes off.
   Hence, the resulting key lifetime limitation L2' can be set to more
   than 10 TB (in cases when a single large message is processed using
   the initial key K).

6.1. Methods of Key Lifetime Control

Suppose L is an amount of data that can be safely processed with one section key and N is a section size (fixed parameter). Suppose M^{i}_1 is the first section of message M^{i}, i = 1, ... , q (see Figures 9 and 10); the parameter q can then be calculated in accordance with one of the following two approaches: o Explicit approach: q_i is such that |M^{1}_1| + ... + |M^{q}_1| <= L, |M^{1}_1| + ... + |M^{q+1}_1| > L This approach allows use of the section key K^i in an almost optimal way, but it can be applied only when messages cannot be lost or reordered (e.g., TLS records). o Implicit approach: q = L / N. The amount of data processed with one section key K^i is calculated under the assumption that the length of every message is equal to or greater than section size N and thus can be considerably less than the key lifetime limitation L. On the other hand, this approach can be applied when messages may be lost or reordered (e.g., DTLS records).
Top   ToC   RFC8645 - Page 23

6.2. Constructions that Do Not Require a Master Key

This section describes the block cipher modes that use the ACPKM re-keying mechanism, which does not use a master key; an initial key is used directly for the data encryption.

6.2.1. ACPKM Re-keying Mechanisms

This section defines a periodical key transformation without a master key, which is called the ACPKM re-keying mechanism. This mechanism can be applied to one of the base encryption modes (CTR and GCM block cipher modes) to get an extension of this encryption mode that uses periodical key transformation without a master key. This extension can be considered as a new encryption mode. An additional parameter that defines the functioning of base encryption modes with the ACPKM re-keying mechanism is the section size N. The value of N is measured in bits and is fixed within a specific protocol based on the requirements of the system capacity and the key lifetime. The section size N MUST be divisible by the block size n. The main idea behind internal re-keying without a master key is presented in Figure 9: Section size = const = N, maximum message size = m_max. ____________________________________________________________________ ACPKM ACPKM ACPKM K^1 = K ---> K^2 ---...-> K^{l_max-1} ----> K^{l_max} | | | | | | | | v v v v M^{1} |==========|==========| ... |==========|=======: | M^{2} |==========|==========| ... |=== | : | . . . . . . : : : : : : : : M^{q} |==========|==========| ... |==========|===== : | section : <----------> m_max N bit ___________________________________________________________________ l_max = ceil(m_max/N). Figure 9: Internal Re-keying without a Master Key
Top   ToC   RFC8645 - Page 24
   During the processing of the input message M with the length m in
   some encryption mode that uses the ACPKM key transformation of the
   initial key K, the message is divided into l = ceil(m / N) sections
   (denoted as M = M_1 | M_2 | ... | M_l, where M_i is in V_N for i in
   {1, 2, ... , l - 1} and M_l is in V_r, r <= N).  The first section of
   each message is processed with the section key K^1 = K.  To process
   the (i + 1)-th section of each message, the section key K^{i+1} is
   calculated using the ACPKM transformation as follows:

      K^{i+1} = ACPKM(K^i) = MSB_k(E_{K^i}(D_1) | ... | E_{K^i}(D_J)),

   where J = ceil(k/n) and D_1, D_2, ... , D_J are in V_n and are
   calculated as follows:

      D_1 | D_2 | ... | D_J = MSB_{J * n}(D),

   where D is the following constant in V_{1024}:

             D = ( 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87
                 | 88 | 89 | 8a | 8b | 8c | 8d | 8e | 8f
                 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97
                 | 98 | 99 | 9a | 9b | 9c | 9d | 9e | 9f
                 | a0 | a1 | a2 | a3 | a4 | a5 | a6 | a7
                 | a8 | a9 | aa | ab | ac | ad | ae | af
                 | b0 | b1 | b2 | b3 | b4 | b5 | b6 | b7
                 | b8 | b9 | ba | bb | bc | bd | be | bf
                 | c0 | c1 | c2 | c3 | c4 | c5 | c6 | c7
                 | c8 | c9 | ca | cb | cc | cd | ce | cf
                 | d0 | d1 | d2 | d3 | d4 | d5 | d6 | d7
                 | d8 | d9 | da | db | dc | dd | de | df
                 | e0 | e1 | e2 | e3 | e4 | e5 | e6 | e7
                 | e8 | e9 | ea | eb | ec | ed | ee | ef
                 | f0 | f1 | f2 | f3 | f4 | f5 | f6 | f7
                 | f8 | f9 | fa | fb | fc | fd | fe | ff)

   Note: The constant D is such that D_1, ... , D_J are pairwise
   different for any allowed n and k values.

   Note: The highest bit of each octet of the constant D is equal to 1.
   This condition is important as, in conjunction with a certain mode
   message length limitation, it allows prevention of collisions of
   block cipher permutation inputs in cases with key transformation and
   message processing (for more details, see Section 4.4 of [AAOS2017]).
Top   ToC   RFC8645 - Page 25

6.2.2. CTR-ACPKM Encryption Mode

This section defines a CTR-ACPKM encryption mode that uses the ACPKM internal re-keying mechanism for the periodical key transformation. The CTR-ACPKM mode can be considered as the base encryption mode CTR (see [MODES]) extended by the ACPKM re-keying mechanism. The CTR-ACPKM encryption mode can be used with the following parameters: o 64 <= n <= 512. o 128 <= k <= 512. o The number c of bits in a specific part of the block to be incremented is such that 32 <= c <= 3 / 4 n, where c is a multiple of 8. o The maximum message size m_max = n * 2^{c-1}. The CTR-ACPKM mode encryption and decryption procedures are defined as follows: +----------------------------------------------------------------+ | CTR-ACPKM-Encrypt(N, K, ICN, P) | |----------------------------------------------------------------| | Input: | | - section size N, | | - initial key K, | | - initial counter nonce ICN in V_{n-c}, | | - plaintext P = P_1 | ... | P_b, |P| <= m_max. | | Output: | | - ciphertext C. | |----------------------------------------------------------------| | 1. CTR_1 = ICN | 0^c | | 2. For j = 2, 3, ... , b do | | CTR_{j} = Inc_c(CTR_{j-1}) | | 3. K^1 = K | | 4. For i = 2, 3, ... , ceil(|P| / N) | | K^i = ACPKM(K^{i-1}) | | 5. For j = 1, 2, ... , b do | | i = ceil(j * n / N), | | G_j = E_{K^i}(CTR_j) | | 6. C = P (xor) MSB_{|P|}(G_1 | ... | G_b) | | 7. Return C | +----------------------------------------------------------------+
Top   ToC   RFC8645 - Page 26
   +----------------------------------------------------------------+
   |  CTR-ACPKM-Decrypt(N, K, ICN, C)                               |
   |----------------------------------------------------------------|
   |  Input:                                                        |
   |  - section size N,                                             |
   |  - initial key K,                                              |
   |  - initial counter nonce ICN in V_{n-c},                       |
   |  - ciphertext C = C_1 | ... | C_b, |C| <= m_max.               |
   |  Output:                                                       |
   |  - plaintext P.                                                |
   |----------------------------------------------------------------|
   |  1. P = CTR-ACPKM-Encrypt(N, K, ICN, C)                        |
   |  2. Return P                                                   |
   +----------------------------------------------------------------+

   The initial counter nonce (ICN) value for each message that is
   encrypted under the given initial key K must be chosen in a unique
   manner.

6.2.3. GCM-ACPKM Authenticated Encryption Mode

This section defines the GCM-ACPKM authenticated encryption mode that uses the ACPKM internal re-keying mechanism for the periodical key transformation. The GCM-ACPKM mode can be considered as the base authenticated encryption mode GCM (see [GCM]) extended by the ACPKM re-keying mechanism. The GCM-ACPKM authenticated encryption mode can be used with the following parameters: o n in {128, 256}. o 128 <= k <= 512. o The number c of bits in a specific part of the block to be incremented is such that 1 / 4 n <= c <= 1 / 2 n, c is a multiple of 8. o Authentication tag length t. o The maximum message size m_max = min{n * (2^{c-1} - 2), 2^{n/2} - 1}.
Top   ToC   RFC8645 - Page 27
   The GCM-ACPKM mode encryption and decryption procedures are defined
   as follows:

   +-------------------------------------------------------------------+
   |  GHASH(X, H)                                                      |
   |-------------------------------------------------------------------|
   |  Input:                                                           |
   |  - bit string X = X_1 | ... | X_m, X_1, ... , X_m in V_n.         |
   |  Output:                                                          |
   |  - block GHASH(X, H) in V_n.                                      |
   |-------------------------------------------------------------------|
   |  1. Y_0 = 0^n                                                     |
   |  2. For i = 1, ... , m do                                         |
   |         Y_i = (Y_{i-1} (xor) X_i) * H                             |
   |  3. Return Y_m                                                    |
   +-------------------------------------------------------------------+

   +-------------------------------------------------------------------+
   |  GCTR(N, K, ICB, X)                                               |
   |-------------------------------------------------------------------|
   |  Input:                                                           |
   |  - section size N,                                                |
   |  - initial key K,                                                 |
   |  - initial counter block ICB,                                     |
   |  - X = X_1 | ... | X_b.                                           |
   |  Output:                                                          |
   |  - Y in V_{|X|}.                                                  |
   |-------------------------------------------------------------------|
   |  1. If X in V_0, then return Y, where Y in V_0                    |
   |  2. GCTR_1 = ICB                                                  |
   |  3. For i = 2, ... , b do                                         |
   |         GCTR_i = Inc_c(GCTR_{i-1})                                |
   |  4. K^1 = K                                                       |
   |  5. For j = 2, ... , ceil(|X| / N)                                |
   |         K^j = ACPKM(K^{j-1})                                      |
   |  6. For i = 1, ... , b do                                         |
   |         j = ceil(i * n / N),                                      |
   |         G_i = E_{K_j}(GCTR_i)                                     |
   |  7. Y = X (xor) MSB_{|X|}(G_1 | ... | G_b)                        |
   |  8. Return Y                                                      |
   +-------------------------------------------------------------------+
Top   ToC   RFC8645 - Page 28
   +-------------------------------------------------------------------+
   |  GCM-ACPKM-Encrypt(N, K, ICN, P, A)                               |
   |-------------------------------------------------------------------|
   |  Input:                                                           |
   |  - section size N,                                                |
   |  - initial key K,                                                 |
   |  - initial counter nonce ICN in V_{n-c},                          |
   |  - plaintext P = P_1 | ... | P_b, |P| <= m_max,                   |
   |  - additional authenticated data A.                               |
   |  Output:                                                          |
   |  - ciphertext C,                                                  |
   |  - authentication tag T.                                          |
   |-------------------------------------------------------------------|
   |  1. H = E_{K}(0^n)                                                |
   |  2. ICB_0 = ICN | 0^{c-1} | 1                                     |
   |  3. C = GCTR(N, K, Inc_c(ICB_0), P)                               |
   |  4. u = n * ceil(|C| / n) - |C|                                   |
   |     v = n * ceil(|A| / n) - |A|                                   |
   |  5. S = GHASH(A | 0^v | C | 0^u | Vec_{n/2}(|A|) |                |
   |               | Vec_{n/2}(|C|), H)                                |
   |  6. T = MSB_t(E_{K}(ICB_0) (xor) S)                               |
   |  7. Return C | T                                                  |
   +-------------------------------------------------------------------+

   +-------------------------------------------------------------------+
   |  GCM-ACPKM-Decrypt(N, K, ICN, A, C, T)                            |
   |-------------------------------------------------------------------|
   |  Input:                                                           |
   |  - section size N,                                                |
   |  - initial key K,                                                 |
   |  - initial counter block ICN,                                     |
   |  - additional authenticated data A,                               |
   |  - ciphertext C = C_1 | ... | C_b, |C| <= m_max,                  |
   |  - authentication tag T.                                          |
   |  Output:                                                          |
   |  - plaintext P or FAIL.                                           |
   |-------------------------------------------------------------------|
   |  1. H = E_{K}(0^n)                                                |
   |  2. ICB_0 = ICN | 0^{c-1} | 1                                     |
   |  3. P = GCTR(N, K, Inc_c(ICB_0), C)                               |
   |  4. u = n * ceil(|C| / n) - |C|                                   |
   |     v = n * ceil(|A| / n) - |A|                                   |
   |  5. S = GHASH(A | 0^v | C | 0^u | Vec_{n/2}(|A|) |                |
   |               | Vec_{n/2}(|C|), H)                                |
   |  6. T' = MSB_t(E_{K}(ICB_0) (xor) S)                              |
   |  7. If T = T', then return P; else return FAIL                    |
   +-------------------------------------------------------------------+
Top   ToC   RFC8645 - Page 29
   The * operation on (pairs of) the 2^n possible blocks corresponds to
   the multiplication operation for the binary Galois (finite) field of
   2^n elements defined by the polynomial f as follows (analogous to
   [GCM]):

   n = 128:  f = a^128 + a^7 + a^2 + a^1 + 1,

   n = 256:  f = a^256 + a^10 + a^5 + a^2 + 1.

   The initial counter nonce ICN value for each message that is
   encrypted under the given initial key K must be chosen in a unique
   manner.

   The key for computing values E_{K}(ICB_0) and H is not updated and is
   equal to the initial key K.

6.3. Constructions that Require a Master Key

This section describes the block cipher modes that use the ACPKM- Master re-keying mechanism, which use the initial key K as a master key, so K is never used directly for data processing but is used for key derivation.

6.3.1. ACPKM-Master Key Derivation from the Master Key

This section defines periodical key transformation with a master key, which is called the ACPKM-Master re-keying mechanism. This mechanism can be applied to one of the base modes of operation (CTR, GCM, CBC, CFB, OMAC modes) for getting an extension that uses periodical key transformation with a master key. This extension can be considered as a new mode of operation. Additional parameters that define the functioning of modes of operation that use the ACPKM-Master re-keying mechanism are the section size N, the change frequency T* of the master keys K*_1, K*_2, ... (see Figure 10), and the size d of the section key material. The values of N and T* are measured in bits and are fixed within a specific protocol based on the requirements of the system capacity and the key lifetime. The section size N MUST be divisible by the block size n. The master key frequency T* MUST be divisible by d and by n.
Top   ToC   RFC8645 - Page 30
   The main idea behind internal re-keying with a master key is
   presented in Figure 10:

   Master key frequency T*,
   section size N,
   maximum message size = m_max.
   _____________________________________________________________________

                           ACPKM                 ACPKM
                K*_1 = K----------> K*_2 ---------...-----> K*_l_max
               ___|___            ___|___                 ___|___
              |       |          |       |               |       |
              v  ...  v          v  ...  v               v  ...  v
            K[1]     K[t]     K[t+1]  K[2*t]  K[(l_max-1)t+1] K[l_max*t]
              |       |          |       |               |       |
              |       |          |       |               |       |
              v       v          v       v               v       v
   M^{1}||======|...|======||======|...|======||...||======|...|==  : ||
   M^{2}||======|...|======||======|...|======||...||======|...|====: ||
    ... ||      |   |      ||      |   |      ||   ||      |   |    : ||
   M^{q}||======|...|======||====  |...|      ||...||      |...|    : ||
          section                                                   :
         <------>                                                   :
           N bit                                                  m_max
   _____________________________________________________________________
   |K[i]| = d,
   t = T* / d,
   l_max = ceil(m_max / (N * t)).


              Figure 10: Internal Re-keying with a Master Key

   During the processing of the input message M with the length m in
   some mode of operation that uses ACPKM-Master key transformation with
   the initial key K and the master key frequency T*, the message M is
   divided into l = ceil(m / N) sections (denoted as M = M_1 | M_2 |
   ... | M_l, where M_i is in V_N for i in {1, 2, ... , l - 1} and M_l
   is in V_r, r <= N).  The j-th section of each message is processed
   with the key material K[j], j in {1, ... , l}, |K[j]| = d, which is
   calculated with the ACPKM-Master algorithm as follows:

      K[1] | ... | K[l] = ACPKM-Master(T*, K, d, l) = CTR-ACPKM-Encrypt
      (T*, K, 1^{n/2}, 0^{d*l}).

   Note: The parameters d and l MUST be such that d * l <= n *
   2^{n/2-1}.
Top   ToC   RFC8645 - Page 31

6.3.2. CTR-ACPKM-Master Encryption Mode

This section defines a CTR-ACPKM-Master encryption mode that uses the ACPKM-Master internal re-keying mechanism for the periodical key transformation. The CTR-ACPKM-Master encryption mode can be considered as the base encryption mode CTR (see [MODES]) extended by the ACPKM-Master re-keying mechanism. The CTR-ACPKM-Master encryption mode can be used with the following parameters: o 64 <= n <= 512. o 128 <= k <= 512. o The number c of bits in a specific part of the block to be incremented is such that 32 <= c <= 3 / 4 n, c is a multiple of 8. o The maximum message size m_max = min{N * (n * 2^{n/2-1} / k), n * 2^c}. The key material K[j] that is used for one-section processing is equal to K^j, where |K^j| = k bits.
Top   ToC   RFC8645 - Page 32
   The CTR-ACPKM-Master mode encryption and decryption procedures are
   defined as follows:

   +----------------------------------------------------------------+
   |  CTR-ACPKM-Master-Encrypt(N, K, T*, ICN, P)                    |
   |----------------------------------------------------------------|
   |  Input:                                                        |
   |  - section size N,                                             |
   |  - initial key K,                                              |
   |  - master key frequency T*,                                    |
   |  - initial counter nonce ICN in V_{n-c},                       |
   |  - plaintext P = P_1 | ... | P_b, |P| <= m_max.                |
   |  Output:                                                       |
   |  - ciphertext C.                                               |
   |----------------------------------------------------------------|
   |  1. CTR_1 = ICN | 0^c                                          |
   |  2. For j = 2, 3, ... , b do                                   |
   |         CTR_{j} = Inc_c(CTR_{j-1})                             |
   |  3. l = ceil(|P| / N)                                          |
   |  4. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l)                |
   |  5. For j = 1, 2, ... , b do                                   |
   |         i = ceil(j * n / N),                                   |
   |         G_j = E_{K^i}(CTR_j)                                   |
   |  6. C = P (xor) MSB_{|P|}(G_1 | ... |G_b)                      |
   |  7. Return C                                                   |
   |----------------------------------------------------------------+

   +----------------------------------------------------------------+
   |  CTR-ACPKM-Master-Decrypt(N, K, T*, ICN, C)                    |
   |----------------------------------------------------------------|
   |  Input:                                                        |
   |  - section size N,                                             |
   |  - initial key K,                                              |
   |  - master key frequency T*,                                    |
   |  - initial counter nonce ICN in V_{n-c},                       |
   |  - ciphertext C = C_1 | ... | C_b, |C| <= m_max.               |
   |  Output:                                                       |
   |  - plaintext P.                                                |
   |----------------------------------------------------------------|
   |  1. P = CTR-ACPKM-Master-Encrypt(N, K, T*, ICN, C)             |
   |  1. Return P                                                   |
   +----------------------------------------------------------------+

   The initial counter nonce ICN value for each message that is
   encrypted under the given initial key must be chosen in a unique
   manner.
Top   ToC   RFC8645 - Page 33

6.3.3. GCM-ACPKM-Master Authenticated Encryption Mode

This section defines a GCM-ACPKM-Master authenticated encryption mode that uses the ACPKM-Master internal re-keying mechanism for the periodical key transformation. The GCM-ACPKM-Master authenticated encryption mode can be considered as the base authenticated encryption mode GCM (see [GCM]) extended by the ACPKM-Master re-keying mechanism. The GCM-ACPKM-Master authenticated encryption mode can be used with the following parameters: o n in {128, 256}. o 128 <= k <= 512. o The number c of bits in a specific part of the block to be incremented is such that 1 / 4 n <= c <= 1 / 2 n, c is a multiple of 8. o authentication tag length t. o the maximum message size m_max = min{N * ( n * 2^{n/2-1} / k), n * (2^c - 2), 2^{n/2} - 1}. The key material K[j] that is used for the j-th section processing is equal to K^j, |K^j| = k bits. The GCM-ACPKM-Master mode encryption and decryption procedures are defined as follows: +-------------------------------------------------------------------+ | GHASH(X, H) | |-------------------------------------------------------------------| | Input: | | - bit string X = X_1 | ... | X_m, X_i in V_n for i in {1, ... ,m}| | Output: | | - block GHASH(X, H) in V_n | |-------------------------------------------------------------------| | 1. Y_0 = 0^n | | 2. For i = 1, ... , m do | | Y_i = (Y_{i-1} (xor) X_i) * H | | 3. Return Y_m | +-------------------------------------------------------------------+
Top   ToC   RFC8645 - Page 34
   +-------------------------------------------------------------------+
   |  GCTR(N, K, T*, ICB, X)                                           |
   |-------------------------------------------------------------------|
   |  Input:                                                           |
   |  - section size N,                                                |
   |  - initial key K,                                                 |
   |  - master key frequency T*,                                       |
   |  - initial counter block ICB,                                     |
   |  - X = X_1 | ... | X_b.                                           |
   |  Output:                                                          |
   |  - Y in V_{|X|}.                                                  |
   |-------------------------------------------------------------------|
   |  1. If X in V_0, then return Y, where Y in V_0                    |
   |  2. GCTR_1 = ICB                                                  |
   |  3. For i = 2, ... , b do                                         |
   |         GCTR_i = Inc_c(GCTR_{i-1})                                |
   |  4. l = ceil(|X| / N)                                             |
   |  5. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l)                   |
   |  6. For j = 1, ... , b do                                         |
   |         i = ceil(j * n / N),                                      |
   |         G_j = E_{K^i}(GCTR_j)                                     |
   |  7. Y = X (xor) MSB_{|X|}(G_1 | ... | G_b)                        |
   |  8. Return Y                                                      |
   +-------------------------------------------------------------------+
Top   ToC   RFC8645 - Page 35
   +-------------------------------------------------------------------+
   |  GCM-ACPKM-Master-Encrypt(N, K, T*, ICN, P, A)                    |
   |-------------------------------------------------------------------|
   |  Input:                                                           |
   |  - section size N,                                                |
   |  - initial key K,                                                 |
   |  - master key frequency T*,                                       |
   |  - initial counter nonce ICN in V_{n-c},                          |
   |  - plaintext P = P_1 | ... | P_b, |P| <= m_max.                   |
   |  - additional authenticated data A.                               |
   |  Output:                                                          |
   |  - ciphertext C,                                                  |
   |  - authentication tag T.                                          |
   |-------------------------------------------------------------------|
   |  1. K^1 = ACPKM-Master(T*, K, k, 1)                               |
   |  2. H = E_{K^1}(0^n)                                              |
   |  3. ICB_0 = ICN | 0^{c-1} | 1                                     |
   |  4. C = GCTR(N, K, T*, Inc_c(ICB_0), P)                           |
   |  5. u = n * ceil(|C| / n) - |C|                                   |
   |     v = n * ceil(|A| / n) - |A|                                   |
   |  6. S = GHASH(A | 0^v | C | 0^u | Vec_{n/2}(|A|) |                |
   |               | Vec_{n/2}(|C|), H)                                |
   |  7. T = MSB_t(E_{K^1}(ICB_0) (xor) S)                             |
   |  8. Return C | T                                                  |
   +-------------------------------------------------------------------+
Top   ToC   RFC8645 - Page 36
   +-------------------------------------------------------------------+
   |  GCM-ACPKM-Master-Decrypt(N, K, T*, ICN, A, C, T)                 |
   |-------------------------------------------------------------------|
   |  Input:                                                           |
   |  - section size N,                                                |
   |  - initial key K,                                                 |
   |  - master key frequency T*,                                       |
   |  - initial counter nonce ICN in V_{n-c},                          |
   |  - additional authenticated data A.                               |
   |  - ciphertext C = C_1 | ... | C_b, |C| <= m_max,                  |
   |  - authentication tag T.                                          |
   |  Output:                                                          |
   |  - plaintext P or FAIL.                                           |
   |-------------------------------------------------------------------|
   |  1. K^1 = ACPKM-Master(T*, K, k, 1)                               |
   |  2. H = E_{K^1}(0^n)                                              |
   |  3. ICB_0 = ICN | 0^{c-1} | 1                                     |
   |  4. P = GCTR(N, K, T*, Inc_c(ICB_0), C)                           |
   |  5. u = n * ceil(|C| / n) - |C|                                   |
   |     v = n * ceil(|A| / n) - |A|                                   |
   |  6. S = GHASH(A | 0^v | C | 0^u | Vec_{n/2}(|A|) |                |
   |               | Vec_{n/2}(|C|), H)                                |
   |  7. T' = MSB_t(E_{K^1}(ICB_0) (xor) S)                            |
   |  8. If T = T', then return P; else return FAIL.                   |
   +-------------------------------------------------------------------+

   The * operation on (pairs of) the 2^n possible blocks corresponds to
   the multiplication operation for the binary Galois (finite) field of
   2^n elements defined by the polynomial f as follows (by analogy with
   [GCM]):

   n = 128:  f = a^128 + a^7 + a^2 + a^1 + 1,

   n = 256:  f = a^256 + a^10 + a^5 + a^2 + 1.

   The initial counter nonce ICN value for each message that is
   encrypted under the given initial key must be chosen in a unique
   manner.
Top   ToC   RFC8645 - Page 37

6.3.4. CBC-ACPKM-Master Encryption Mode

This section defines a CBC-ACPKM-Master encryption mode that uses the ACPKM-Master internal re-keying mechanism for the periodical key transformation. The CBC-ACPKM-Master encryption mode can be considered as the base encryption mode CBC (see [MODES]) extended by the ACPKM-Master re-keying mechanism. The CBC-ACPKM-Master encryption mode can be used with the following parameters: o 64 <= n <= 512. o 128 <= k <= 512. o The maximum message size m_max = N * (n * 2^{n/2-1} / k). In the specification of the CBC-ACPKM-Master mode, the plaintext and ciphertext must be a sequence of one or more complete data blocks. If the data string to be encrypted does not initially satisfy this property, then it MUST be padded to form complete data blocks. The padding methods are out of the scope of this document. An example of a padding method can be found in Appendix A of [MODES]. The key material K[j] that is used for the j-th section processing is equal to K^j, |K^j| = k bits. We use D_{K} to denote the decryption function that is a permutation inverse to E_{K}.
Top   ToC   RFC8645 - Page 38
   The CBC-ACPKM-Master mode encryption and decryption procedures are
   defined as follows:

   +----------------------------------------------------------------+
   |  CBC-ACPKM-Master-Encrypt(N, K, T*, IV, P)                     |
   |----------------------------------------------------------------|
   |  Input:                                                        |
   |  - section size N,                                             |
   |  - initial key K,                                              |
   |  - master key frequency T*,                                    |
   |  - initialization vector IV in V_n,                            |
   |  - plaintext P = P_1 | ... | P_b, |P_b| = n, |P| <= m_max.     |
   |  Output:                                                       |
   |  - ciphertext C.                                               |
   |----------------------------------------------------------------|
   |  1. l = ceil(|P| / N)                                          |
   |  2. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l)                |
   |  3. C_0 = IV                                                   |
   |  4. For j = 1, 2, ... , b do                                   |
   |         i = ceil(j * n / N),                                   |
   |         C_j = E_{K^i}(P_j (xor) C_{j-1})                       |
   |  5. Return C = C_1 | ... | C_b                                 |
   |----------------------------------------------------------------+

   +----------------------------------------------------------------+
   |  CBC-ACPKM-Master-Decrypt(N, K, T*, IV, C)                     |
   |----------------------------------------------------------------|
   |  Input:                                                        |
   |  - section size N,                                             |
   |  - initial key K,                                              |
   |  - master key frequency T*,                                    |
   |  - initialization vector IV in V_n,                            |
   |  - ciphertext C = C_1 | ... | C_b, |C_b| = n, |C| <= m_max.    |
   |  Output:                                                       |
   |  - plaintext P.                                                |
   |----------------------------------------------------------------|
   |  1. l = ceil(|C| / N)                                          |
   |  2. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l)                |
   |  3. C_0 = IV                                                   |
   |  4. For j = 1, 2, ... , b do                                   |
   |         i = ceil(j * n / N)                                    |
   |         P_j = D_{K^i}(C_j) (xor) C_{j-1}                       |
   |  5. Return P = P_1 | ... | P_b                                 |
   +----------------------------------------------------------------+

   The initialization vector IV for any particular execution of the
   encryption process must be unpredictable.
Top   ToC   RFC8645 - Page 39

6.3.5. CFB-ACPKM-Master Encryption Mode

This section defines a CFB-ACPKM-Master encryption mode that uses the ACPKM-Master internal re-keying mechanism for the periodical key transformation. The CFB-ACPKM-Master encryption mode can be considered as the base encryption mode CFB (see [MODES]) extended by the ACPKM-Master re-keying mechanism. The CFB-ACPKM-Master encryption mode can be used with the following parameters: o 64 <= n <= 512. o 128 <= k <= 512. o The maximum message size m_max = N * (n * 2^{n/2-1} / k). The key material K[j] that is used for the j-th section processing is equal to K^j, |K^j| = k bits. The CFB-ACPKM-Master mode encryption and decryption procedures are defined as follows: +-------------------------------------------------------------+ | CFB-ACPKM-Master-Encrypt(N, K, T*, IV, P) | |-------------------------------------------------------------| | Input: | | - section size N, | | - initial key K, | | - master key frequency T*, | | - initialization vector IV in V_n, | | - plaintext P = P_1 | ... | P_b, |P| <= m_max. | | Output: | | - ciphertext C. | |-------------------------------------------------------------| | 1. l = ceil(|P| / N) | | 2. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l) | | 3. C_0 = IV | | 4. For j = 1, 2, ... , b - 1 do | | i = ceil(j * n / N), | | C_j = E_{K^i}(C_{j-1}) (xor) P_j | | 5. C_b = MSB_{|P_b|}(E_{K^l}(C_{b-1})) (xor) P_b | | 6. Return C = C_1 | ... | C_b | |-------------------------------------------------------------+
Top   ToC   RFC8645 - Page 40
   +-------------------------------------------------------------+
   |  CFB-ACPKM-Master-Decrypt(N, K, T*, IV, C)                  |
   |-------------------------------------------------------------|
   |  Input:                                                     |
   |  - section size N,                                          |
   |  - initial key K,                                           |
   |  - master key frequency T*,                                 |
   |  - initialization vector IV in V_n,                         |
   |  - ciphertext C = C_1 | ... | C_b, |C| <= m_max.            |
   |  Output:                                                    |
   |  - plaintext P.                                             |
   |-------------------------------------------------------------|
   |  1. l = ceil(|C| / N)                                       |
   |  2. K^1 | ... | K^l = ACPKM-Master(T*, K, k, l)             |
   |  3. C_0 = IV                                                |
   |  4. For j = 1, 2, ... , b - 1 do                            |
   |         i = ceil(j * n / N),                                |
   |         P_j = E_{K^i}(C_{j-1}) (xor) C_j                    |
   |  5. P_b = MSB_{|C_b|}(E_{K^l}(C_{b-1})) (xor) C_b           |
   |  6. Return P = P_1 | ... | P_b                              |
   +-------------------------------------------------------------+

   The initialization vector IV for any particular execution of the
   encryption process must be unpredictable.

6.3.6. OMAC-ACPKM-Master Authentication Mode

This section defines an OMAC-ACPKM-Master message authentication code calculation mode that uses the ACPKM-Master internal re-keying mechanism for the periodical key transformation. The OMAC-ACPKM-Master mode can be considered as the base message authentication code calculation mode OMAC1, which is also known as CMAC (see [RFC4493]), extended by the ACPKM-Master re-keying mechanism. The OMAC-ACPKM-Master message authentication code calculation mode can be used with the following parameters: o n in {64, 128, 256}. o 128 <= k <= 512. o The maximum message size m_max = N * (n * 2^{n/2-1} / (k + n)). The key material K[j] that is used for one-section processing is equal to K^j | K^j_1, where |K^j| = k bits and |K^j_1| = n bits.
Top   ToC   RFC8645 - Page 41
   The following is a specification of the subkey generation process of
   OMAC:

   +-------------------------------------------------------------------+
   | Generate_Subkey(K1, r)                                            |
   |-------------------------------------------------------------------|
   | Input:                                                            |
   |  - key K1.                                                        |
   |  Output:                                                          |
   |  - key SK.                                                        |
   |-------------------------------------------------------------------|
   |   1. If r = n, then return K1                                     |
   |   2. If r < n, then                                               |
   |          if MSB_1(K1) = 0                                         |
   |              return K1 << 1                                       |
   |          else                                                     |
   |              return (K1 << 1) (xor) R_n                           |
   +-------------------------------------------------------------------+

   Here, R_n takes the following values:

   o  n = 64: R_{64} = 0^{59} | 11011.

   o  n = 128: R_{128} = 0^{120} | 10000111.

   o  n = 256: R_{256} = 0^{145} | 10000100101.
Top   ToC   RFC8645 - Page 42
   The OMAC-ACPKM-Master message authentication code calculation mode is
   defined as follows:

   +-------------------------------------------------------------------+
   | OMAC-ACPKM-Master(K, N, T*, M)                                    |
   |-------------------------------------------------------------------|
   | Input:                                                            |
   |  - section size N,                                                |
   |  - initial key K,                                                 |
   |  - master key frequency T*,                                       |
   |  - plaintext M = M_1 | ... | M_b, |M| <= m_max.                   |
   |  Output:                                                          |
   |  - message authentication code T.                                 |
   |-------------------------------------------------------------------|
   | 1. C_0 = 0^n                                                      |
   | 2. l = ceil(|M| / N)                                              |
   | 3. K^1 | K^1_1 | ... | K^l | K^l_1 =                              |
                     = ACPKM-Master(T*, K, (k + n), l)                 |
   | 4. For j = 1, 2, ... , b - 1 do                                   |
   |        i = ceil(j * n / N),                                       |
   |        C_j = E_{K^i}(M_j (xor) C_{j-1})                           |
   | 5. SK = Generate_Subkey(K^l_1, |M_b|)                             |
   | 6. If |M_b| = n, then M*_b = M_b                                  |
   |                  else M*_b = M_b | 1 | 0^{n - 1 -|M_b|}           |
   | 7. T = E_{K^l}(M*_b (xor) C_{b-1} (xor) SK)                       |
   | 8. Return T                                                       |
   +-------------------------------------------------------------------+

7. Joint Usage of External and Internal Re-keying

Both external re-keying and internal re-keying have their own advantages and disadvantages, which are discussed in Section 1. For instance, using external re-keying can essentially limit the message length, while in the case of internal re-keying, the section size, which can be chosen as the maximal possible for operational properties, limits the number of separate messages. Therefore, the choice of re-keying mechanism (either external or internal) depends on particular protocol features. However, some protocols may have features that require the advantages of both the external and internal re-keying mechanisms: for example, the protocol mainly transmits short messages, but it must additionally support processing of very long messages. In such situations, it is necessary to use external and internal re-keying jointly, since these techniques negate each other's disadvantages. For composition of external and internal re-keying techniques, any mechanism described in Section 5 can be used with any mechanism described in Section 6.
Top   ToC   RFC8645 - Page 43
   For example, consider the GCM-ACPKM mode with external serial
   re-keying based on a KDF on a hash function.  Denote the number of
   messages in each frame (in the case of the implicit approach to the
   key lifetime control) for external re-keying as a frame size.

   Let L be a key lifetime limitation.  The section size N for internal
   re-keying and the frame size q for external re-keying must be chosen
   in such a way that q * N must not exceed L.

   Suppose that t messages (ICN_i, P_i, A_i), with initial counter nonce
   ICN_i, plaintext P_i, and additional authenticated data A_i will be
   processed before renegotiation.

   For authenticated encryption of each message (ICN_i, P_i, A_i), i =
   1, ..., t, the following algorithm can be applied:

   1. j = ceil(i / q),
   2. K^j = ExtSerialH(K, j),
   3. C_i | T_i = GCM-ACPKM-Encrypt(N, K^j, ICN_i, P_i, A_i).

   Note that nonces ICN_i that are used under the same frame key must be
   unique for each message.

8. Security Considerations

Re-keying should be used to increase a priori security properties of ciphers in hostile environments (e.g., with side-channel adversaries). If efficient attacks on a cipher are known, the cipher must not be used. Thus, re-keying cannot be used as a patch for vulnerable ciphers. Base cipher properties must be well analyzed because the security of re-keying mechanisms is based on the security of a block cipher as a pseudorandom function. Re-keying is not intended to solve any postquantum security issues for symmetric cryptography, since the reduction of security caused by Grover's algorithm is not connected with a size of plaintext transformed by a cipher -- only a negligible (sufficient for key uniqueness) material is needed -- and the aim of re-keying is to limit the size of plaintext transformed under one initial key. Re-keying can provide backward security only if previous key material is securely deleted after usage by all parties.

9. IANA Considerations

This document has no IANA actions.


Next Section