As the culmination of a four-year competitive process, NIST (the
National Institute of Standards and Technology) has selected the AES
(Advanced Encryption Standard), the successor to the venerable DES
(Data Encryption Standard). The competition was an open one, with
public participation and comment solicited at each step of the
process. The AES [AES], formerly known as Rijndael, was chosen from
a field of five finalists.
The AES selection was made on the basis of several characteristics:
+ security
+ unclassified
+ publicly disclosed
+ available royalty-free, worldwide
+ capable of handling a block size of at least 128 bits
+ at a minimum, capable of handling key sizes of 128, 192, and
256 bits
+ computational efficiency and memory requirements on a variety
of software and hardware, including smart cards
+ flexibility, simplicity and ease of implementation
The AES will be the government's designated encryption cipher. The
expectation is that the AES will suffice to protect sensitive
(unclassified) government information until at least the next
century. It is also expected to be widely adopted by businesses and
financial institutions.
Frankel, et al. Standards Track [Page 2]
RFC 3602 AES-CBC Cipher Algorithm Use with IPsec September 2003
It is the intention of the IETF IPsec Working Group that AES will
eventually be adopted as the default IPsec ESP cipher and will obtain
the status of MUST be included in compliant IPsec implementations.
The remainder of this document specifies the use of the AES within
the context of IPsec ESP. For further information on how the various
pieces of ESP fit together to provide security services, refer to
[ARCH], [ESP], and [ROAD].
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" that
appear in this document are to be interpreted as described in
[RFC-2119].
All symmetric block cipher algorithms share common characteristics
and variables, including mode, key size, weak keys, block size, and
rounds. The following sections contain descriptions of the relevant
characteristics of the AES cipher.
NIST has defined 5 modes of operation for AES and other FIPS-approved
ciphers [MODES]: CBC (Cipher Block Chaining), ECB (Electronic
CodeBook), CFB (Cipher FeedBack), OFB (Output FeedBack) and CTR
(Counter). The CBC mode is well-defined and well-understood for
symmetric ciphers, and is currently required for all other ESP
ciphers. This document specifies the use of the AES cipher in CBC
mode within ESP. This mode requires an Initialization Vector (IV)
that is the same size as the block size. Use of a randomly generated
IV prevents generation of identical ciphertext from packets which
have identical data that spans the first block of the cipher
algorithm's block size.
The IV is XOR'd with the first plaintext block before it is
encrypted. Then for successive blocks, the previous ciphertext block
is XOR'd with the current plaintext, before it is encrypted.
More information on CBC mode can be obtained in [MODES, CRYPTO-S].
For the use of CBC mode in ESP with 64-bit ciphers, see [CBC].
Frankel, et al. Standards Track [Page 3]
RFC 3602 AES-CBC Cipher Algorithm Use with IPsec September 2003
AES supports three key sizes: 128 bits, 192 bits, and 256 bits. The
default key size is 128 bits, and all implementations MUST support
this key size. Implementations MAY also support key sizes of 192
bits and 256 bits.
AES uses a different number of rounds for each of the defined key
sizes. When a 128-bit key is used, implementations MUST use 10
rounds. When a 192-bit key is used, implementations MUST use 12
rounds. When a 256-bit key is used, implementations MUST use 14
rounds.
At the time of writing this document there are no known weak keys for
the AES.
Some cipher algorithms have weak keys or keys that MUST not be used
due to their interaction with some aspect of the cipher's definition.
If weak keys are discovered for the AES, then weak keys SHOULD be
checked for and discarded when using manual key management. When
using dynamic key management, such as [IKE], weak key checks SHOULD
NOT be performed as they are seen as an unnecessary added code
complexity that could weaken the intended security [EVALUATION].
The AES uses a block size of sixteen octets (128 bits).
Padding is required by the AES to maintain a 16-octet (128-bit)
blocksize. Padding MUST be added, as specified in [ESP], such that
the data to be encrypted (which includes the ESP Pad Length and Next
Header fields) has a length that is a multiple of 16 octets.
Because of the algorithm specific padding requirement, no additional
padding is required to ensure that the ciphertext terminates on a 4-
octet boundary (i.e., maintaining a 16-octet blocksize guarantees
that the ESP Pad Length and Next Header fields will be right aligned
within a 4-octet word). Additional padding MAY be included, as
specified in [ESP], as long as the 16-octet blocksize is maintained.
AES was invented by Joan Daemen from Banksys/PWI and Vincent Rijmen
from ESAT-COSIC, both in Belgium, and is available world-wide on a
royalty-free basis. It is not covered by any patents, and the
Rijndael homepage contains the following statement: "Rijndael is
Frankel, et al. Standards Track [Page 4]
RFC 3602 AES-CBC Cipher Algorithm Use with IPsec September 2003
available for free. You can use it for whatever purposes you want,
irrespective of whether it is accepted as AES or not." AES's
description can be found in [AES]. The Rijndael homepage is:
http://www.esat.kuleuven.ac.be/~rijmen/rijndael/.
The AES homepage, http://www.nist.gov/aes, contains a wealth of
information about the AES, including a definitive description of the
AES algorithm, performance statistics, test vectors and intellectual
property information. This site also contains information on how to
obtain an AES reference implementation from NIST.
For a comparison table of the estimated speeds of AES and other
cipher algorithms, please see [PERF-1], [PERF-2], [PERF-3], or
[PERF-4]. The AES homepage has pointers to other analyses.
The ESP payload is made up of the IV followed by raw cipher-text.
Thus the payload field, as defined in [ESP], is broken down according
to the following diagram:
+---------------+---------------+---------------+---------------+
| |
+ Initialization Vector (16 octets) +
| |
+---------------+---------------+---------------+---------------+
| |
~ Encrypted Payload (variable length, a multiple of 16 octets) ~
| |
+---------------------------------------------------------------+
The IV field MUST be the same size as the block size of the cipher
algorithm being used. The IV MUST be chosen at random, and MUST be
unpredictable.
Including the IV in each datagram ensures that decryption of each
received datagram can be performed, even when some datagrams are
dropped, or datagrams are re-ordered in transit.
To avoid CBC encryption of very similar plaintext blocks in different
packets, implementations MUST NOT use a counter or other low-Hamming
distance source for IVs.
Frankel, et al. Standards Track [Page 5]
RFC 3602 AES-CBC Cipher Algorithm Use with IPsec September 2003
The minimum number of bits sent from the key exchange protocol to the
ESP algorithm must be greater than or equal to the key size.
The cipher's encryption and decryption key is taken from the first
<x> bits of the keying material, where <x> represents the required
key size.
A companion competition, to select the successor to SHA-1, the
widely-used hash algorithm, recently concluded. The resulting
hashes, called SHA-256, SHA-384 and SHA-512 [SHA2-1, SHA2-2] are
capable of producing output of three different lengths (256, 384 and
512 bits), sufficient for the generation (within IKE) and
authentication (within ESP) of the three AES key sizes (128, 192 and
256 bits).
However, HMAC-SHA-1 [HMAC-SHA] and HMAC-MD5 [HMAC-MD5] are currently
considered of sufficient strength to serve both as IKE generators of
128-bit AES keys and as ESP authenticators for AES encryption using
128-bit keys.
Frankel, et al. Standards Track [Page 10]
RFC 3602 AES-CBC Cipher Algorithm Use with IPsec September 2003
Implementations are encouraged to use the largest key sizes they can
when taking into account performance considerations for their
particular hardware and software configuration. Note that encryption
necessarily impacts both sides of a secure channel, so such
consideration must take into account not only the client side, but
the server as well. However, a key size of 128 bits is considered
secure for the foreseeable future.
For more information regarding the necessary use of random IV values,
see [CRYPTO-B].
For further security considerations, the reader is encouraged to read
[AES].
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such
proprietary rights by implementers or users of this specification can
be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
Frankel, et al. Standards Track [Page 11]
RFC 3602 AES-CBC Cipher Algorithm Use with IPsec September 2003
[AES] NIST, FIPS PUB 197, "Advanced Encryption Standard
(AES)," November 2001.
http://csrc.nist.gov/publications/fips/fips197/
fips-197.{ps,pdf}
[CBC] Pereira, R. and R. Adams, "The ESP CBC-Mode Cipher
Algorithms", RFC 2451, November 1998.
[ESP] Kent, S. and R. Atkinson, "IP Encapsulating Security
Payload (ESP)", RFC 2406, November 1998.
[ARCH] Kent, S. and R. Atkinson, "Security Architecture for the
Internet Protocol", RFC 2401, November 1998.
[CRYPTO-B] Bellovin, S., "Probable Plaintext Cryptanalysis of the
IP Security Protocols", Proceedings of the Symposium on
Network and Distributed System Security, San Diego, CA,
pp. 155-160, February 1997.
http://www.research.att.com/~smb/papers/probtxt.pdf
[CRYPTO-S] B. Schneier, "Applied Cryptography Second Edition", John
Wiley & Sons, New York, NY, 1995, ISBN 0-471-12845-7.
[DOI] Piper, D., "The Internet IP Security Domain of
Interpretation for ISAKMP", RFC 2407, November 1998.
[EVALUATION] Ferguson, N. and B. Schneier, "A Cryptographic
Evaluation of IPsec," Counterpane Internet Security,
Inc., January 2000.
http://www.counterpane.com/ipsec.pdf
[HMAC-MD5] Madson, C. and R. Glenn, "The Use of HMAC-MD5-96 within
ESP and AH", RFC 2403, November 1998.
[HMAC-SHA] Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96
within ESP and AH", RFC 2404, November 1998.
[IKE] Harkins, D. and D. Carrel, "The Internet Key Exchange
(IKE)", RFC 2409, November 1998.
Frankel, et al. Standards Track [Page 12]
RFC 3602 AES-CBC Cipher Algorithm Use with IPsec September 2003
[MODES] Dworkin, M., "Recommendation for Block Cipher Modes of
Operation: Methods and Techniques," NIST Special
Publication 800-38A, December 2001.
http://csrc.nist.gov/publications/nistpubs/
800-38a/sp800-38a.pdf
[PERF-1] Bassham, L. III, "Efficiency Testing of ANSI C
Implementations of Round1 Candidate Algorithms for the
Advanced Encryption Standard."
http://csrc.nist.gov/encryption/aes/round1/r1-ansic.pdf
[PERF-2] Lipmaa, Helger, "AES/Rijndael: speed."
http://www.tcs.hut.fi/~helger/aes/rijndael.html
[PERF-3] Nechvetal, J., E. Barker, D. Dodson, M. Dworkin, J.
Foti and E. Roback, "Status Report on the First Round of
the Development of the Advanced Encryption Standard."
http://csrc.nist.gov/encryption/aes/round1/r1report.pdf
[PERF-4] Schneier, B., J. Kelsey, D. Whiting, D. Wagner, C.
Hall, and N. Ferguson, "Performance Comparison of the
AES Submissions."
http://www.counterpane.com/aes-performance.pdf
[RFC-2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[ROAD] Thayer, R., Doraswamy, N. and R. Glenn, "IP Security
Document Roadmap", RFC 2411, November 1998.
[SHA2-1] NIST, FIPS PUB 180-2 "Specifications for the Secure Hash
Standard," August 2002.
http://csrc.nist.gov/publications/fips/fips180-2/
fips180-2.pdf
[SHA2-2] "Descriptions of SHA-256, SHA-384, and SHA-512."
http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf
Portions of this text, as well as its general structure, were
unabashedly lifted from [CBC].
The authors want to thank Hilarie Orman for providing expert advice
(and a sanity check) on key sizes, requirements for Diffie-Hellman
groups, and IKE interactions. We also thank Scott Fluhrer for his
helpful comments and recommendations.
Frankel, et al. Standards Track [Page 13]
RFC 3602 AES-CBC Cipher Algorithm Use with IPsec September 2003
Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assignees.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Frankel, et al. Standards Track [Page 15]