rfc4493.The-AES-CMAC-Algorithm

NetworkWorkingGroupJH.SongRequestforComments:4493R.PoovendranCategory:InformationalUniversityofWashingtonJ.LeeSamsungElectronicsT.IwataNagoyaUniversityJune2006TheAES-CMACAlgorithmStatusofThisMemoThismemoprovidesinformationfortheInternetcommunity.ItdoesnotspecifyanInternetstandardofanykind.Distributionofthismemoisunlimited.CopyrightNoticeCopyright(C)TheInternetSociety(2006).AbstractTheNationalInstituteofStandardsandTechnology(NIST)hasrecentlyspecifiedtheCipher-basedMessageAuthenticationCode(CMAC),whichisequivalenttotheOne-KeyCBCMAC1(OMAC1)submittedbyIwataandKurosawa.ThismemospecifiesanauthenticationalgorithmbasedonCMACwiththe128-bitAdvancedEncryptionStandard(AES).ThisnewauthenticationalgorithmisnamedAES-CMAC.ThepurposeofthisdocumentistomaketheAES-CMACalgorithmconvenientlyavailabletotheInternetCommunity.Song,etal.Informational[Page1]RFC4493TheAES-CMACAlgorithmJune2006TableofContents1.Introduction....................................................22.SpecificationofAES-CMAC.......................................32.1.BasicDefinitions..........................................32.2.Overview...................................................42.3.SubkeyGenerationAlgorithm................................52.4.MACGenerationAlgorithm...................................72.5.MACVerificationAlgorithm.................................93.SecurityConsiderations........................................104.TestVectors...................................................115.Acknowledgement................................................126.References.....................................................126.1.NormativeReferences......................................126.2.InformativeReferences....................................12AppendixA.TestCode.............................................141.IntroductionTheNationalInstituteofStandardsandTechnology(NIST)hasrecentlyspecifiedtheCipher-basedMessageAuthenticationCode(CMAC).CMAC[NIST-CMAC]isakeyedhashfunctionthatisbasedonasymmetrickeyblockcipher,suchastheAdvancedEncryptionStandard[NIST-AES].CMACisequivalenttotheOne-KeyCBCMAC1(OMAC1)submittedbyIwataandKurosawa[OMAC1a,OMAC1b].OMAC1isanimprovementoftheeXtendedCipherBlockChainingmode(XCBC)submittedbyBlackandRogaway[XCBCa,XCBCb],whichitselfisanimprovementofthebasicCipherBlockChaining-MessageAuthenticationCode(CBC-MAC).XCBCefficientlyaddressesthesecuritydeficienciesofCBC-MAC,andOMAC1efficientlyreducesthekeysizeofXCBC.AES-CMACprovidesstrongerassuranceofdataintegritythanachecksumoranerror-detectingcode.Theverificationofachecksumoranerror-detectingcodedetectsonlyaccidentalmodificationsofthedata,whileCMACisdesignedtodetectintentional,unauthorizedmodificationsofthedata,aswellasaccidentalmodifications.AES-CMACachievesasecuritygoalsimilartothatofHMAC[RFC-HMAC].SinceAES-CMACisbasedonasymmetrickeyblockcipher,AES,andHMACisbasedonahashfunction,suchasSHA-1,AES-CMACisappropriateforinformationsystemsinwhichAESismorereadilyavailablethanahashfunction.ThismemospecifiestheauthenticationalgorithmbasedonCMACwithAES-128.ThisnewauthenticationalgorithmisnamedAES-CMAC.Song,etal.Informational[Page2]RFC4493TheAES-CMACAlgorithmJune20062.SpecificationofAES-CMAC2.1.BasicDefinitionsThefollowingtabledescribesthebasicdefinitionsnecessarytoexplainthespecificationofAES-CMAC.x||yConcatenation.x||yisthestringxconcatenatedwiththestringy.0000||1111is00001111.xXORyExclusive-ORoperation.Fortwoequallengthstrings,xandy,xXORyistheirbit-wiseexclusive-OR.ceil(x)Ceilingfunction.Thesmallestintegernosmallerthanx.ceil(3.5)is4.ceil(5)is5.x1Left-shiftofthestringxby1bit.Themostsignificantbitdisappears,andazerocomesintotheleastsignificantbit.100100011is00100010.0^nThestringthatconsistsofnzero-bits.0^3means000inbinaryformat.10^4means10000inbinaryformat.10^imeans1followedbyi-timesrepeatedzeros.MSB(x)Themost-significantbitofthestringx.MSB(10010000)means1.padding(x)10^ipaddedoutputofinputx.Itisdescribedindetailinsection2.4.Key128-bit(16-octet)longkeyforAES-128.DenotedbyK.Firstsubkey128-bit(16-octet)longfirstsubkey,derivedthroughthesubkeygenerationalgorithmfromthekeyK.DenotedbyK1.Song,etal.Informational[Page3]RFC4493TheAES-CMACAlgorithmJune2006Secondsubkey128-bit(16-octet)longsecondsubkey,derivedthroughthesubkeygenerationalgorithmfromthekeyK.DenotedbyK2.MessageAmessagetobeauthenticated.DenotedbyM.Themessagecanbenull,whichmeansthatthelengthofMis0.MessagelengthThelengthofthemessageMinoctets.Denotedbylen.Theminimumvalueofthelengthcanbe0.Themaximumvalueofthelengthisnotspecifiedinthisdocument.AES-128(K,M)AES-128(K,M)isthe128-bitciphertextofAES-128fora128-bitkey,K,anda128-bitmessage,M.MACA128-bitstringthatistheoutputofAES-CMAC.DenotedbyT.ValidatingtheMACprovidesassuranceoftheintegrityandauthenticityofthemessagefromthesource.MAClengthBydefault,thelengthoftheoutputofAES-CMACis128bits.ItispossibletotruncatetheMAC.Theresultofthetruncationshouldbetakeninmostsignificantbitsfirstorder.TheMAClengthmustbespecifiedbeforethecommunicationstarts,anditmustnotbechangedduringthelifetimeofthekey.2.2.OverviewAES-CMACuses