draft-ietf-avtcore-aria-srtp-04.txt   draft-ietf-avtcore-aria-srtp-05.txt 
AVTCore W. Kim AVTCore W. Kim
Internet-Draft J. Lee Internet-Draft J. Lee
Intended status: Standards Track D. Kim Intended status: Standards Track D. Kim
Expires: February 24, 2014 J. Park Expires: March 29, 2014 J. Park
D. Kwon D. Kwon
NSRI NSRI
August 23, 2013 September 25, 2013
The ARIA Algorithm and Its Use with the Secure Real-time Transport The ARIA Algorithm and Its Use with the Secure Real-time Transport
Protocol(SRTP) Protocol(SRTP)
draft-ietf-avtcore-aria-srtp-04 draft-ietf-avtcore-aria-srtp-05
Abstract Abstract
This document describes the use of the ARIA block cipher algorithm This document describes the use of the ARIA block cipher algorithm
within the Secure Real-time Transport Protocol (SRTP) for providing within the Secure Real-time Transport Protocol (SRTP) for providing
confidentiality for the Real-time Transport Protocol (RTP) traffic confidentiality for the Real-time Transport Protocol (RTP) traffic
and for the control traffic for RTP, the Real-time Transport Control and for the control traffic for RTP, the RTP Control Protocol (RTCP).
Protocol (RTCP). It details three modes of operation (CTR, CCM, GCM) It details three modes of operation (CTR, CCM, GCM) and a SRTP Key
and a SRTP Key Derivation Function for ARIA. Derivation Function for ARIA.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 24, 2014. This Internet-Draft will expire on March 29, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 20 skipping to change at page 2, line 20
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. ARIA . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. ARIA . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Cryptographic Transforms . . . . . . . . . . . . . . . . . . 3 2. Cryptographic Transforms . . . . . . . . . . . . . . . . . . 3
2.1. ARIA-CTR . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. ARIA-CTR . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2. ARIA-GCM . . . . . . . . . . . . . . . . . . . . . . . . 6 2.2. ARIA-GCM . . . . . . . . . . . . . . . . . . . . . . . . 6
2.3. ARIA-CCM . . . . . . . . . . . . . . . . . . . . . . . . 9 2.3. ARIA-CCM . . . . . . . . . . . . . . . . . . . . . . . . 9
3. Key Derivation Functions . . . . . . . . . . . . . . . . . . 11 3. Key Derivation Functions . . . . . . . . . . . . . . . . . . 11
4. Security Considerations . . . . . . . . . . . . . . . . . . . 11 4. Security Considerations . . . . . . . . . . . . . . . . . . . 12
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
5.1. SDES . . . . . . . . . . . . . . . . . . . . . . . . . . 12 5.1. Security Descriptions (SDES) . . . . . . . . . . . . . . 12
5.2. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . . 12 5.2. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . . 13
5.3. MIKEY . . . . . . . . . . . . . . . . . . . . . . . . . . 18 5.3. MIKEY . . . . . . . . . . . . . . . . . . . . . . . . . . 18
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 19
6.1. Normative References . . . . . . . . . . . . . . . . . . 19 6.1. Normative References . . . . . . . . . . . . . . . . . . 20
6.2. Informative References . . . . . . . . . . . . . . . . . 20 6.2. Informative References . . . . . . . . . . . . . . . . . 21
Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 21 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 21
A.1. ARIA-CTR Test Vectors . . . . . . . . . . . . . . . . . . 21 A.1. ARIA-CTR Test Vectors . . . . . . . . . . . . . . . . . . 21
A.1.1. ARIA_128_CTR_HMAC_SHA1_80 . . . . . . . . . . . . . . 21 A.1.1. ARIA_128_CTR_HMAC_SHA1_80 . . . . . . . . . . . . . . 22
A.1.2. ARIA_192_CTR_HMAC_SHA1_80 . . . . . . . . . . . . . . 22 A.1.2. ARIA_192_CTR_HMAC_SHA1_80 . . . . . . . . . . . . . . 23
A.1.3. ARIA_256_CTR_HMAC_SHA1_80 . . . . . . . . . . . . . . 23 A.1.3. ARIA_256_CTR_HMAC_SHA1_80 . . . . . . . . . . . . . . 23
A.2. ARIA-GCM Test Vectors . . . . . . . . . . . . . . . . . . 23 A.2. ARIA-GCM Test Vectors . . . . . . . . . . . . . . . . . . 24
A.2.1. ARIA_128_GCM . . . . . . . . . . . . . . . . . . . . 24 A.2.1. ARIA_128_GCM . . . . . . . . . . . . . . . . . . . . 24
A.2.2. ARIA_256_GCM . . . . . . . . . . . . . . . . . . . . 24 A.2.2. ARIA_256_GCM . . . . . . . . . . . . . . . . . . . . 25
A.3. ARIA-CCM Test Vectors . . . . . . . . . . . . . . . . . . 25 A.3. ARIA-CCM Test Vectors . . . . . . . . . . . . . . . . . . 25
A.3.1. ARIA_128_CCM . . . . . . . . . . . . . . . . . . . . 25 A.3.1. ARIA_128_CCM . . . . . . . . . . . . . . . . . . . . 26
A.3.2. ARIA_256_CCM . . . . . . . . . . . . . . . . . . . . 26 A.3.2. ARIA_256_CCM . . . . . . . . . . . . . . . . . . . . 26
A.3.3. ARIA_128_CCM_8 . . . . . . . . . . . . . . . . . . . 26 A.3.3. ARIA_128_CCM_8 . . . . . . . . . . . . . . . . . . . 26
A.3.4. ARIA_256_CCM_8 . . . . . . . . . . . . . . . . . . . 26 A.3.4. ARIA_256_CCM_8 . . . . . . . . . . . . . . . . . . . 27
A.3.5. ARIA_128_CCM_12 . . . . . . . . . . . . . . . . . . . 27 A.3.5. ARIA_128_CCM_12 . . . . . . . . . . . . . . . . . . . 27
A.3.6. ARIA_256_CCM_12 . . . . . . . . . . . . . . . . . . . 27 A.3.6. ARIA_256_CCM_12 . . . . . . . . . . . . . . . . . . . 28
A.4. Key Derivation Test Vector . . . . . . . . . . . . . . . 27 A.4. Key Derivation Test Vector . . . . . . . . . . . . . . . 28
A.4.1. ARIA_128 . . . . . . . . . . . . . . . . . . . . . . 28 A.4.1. ARIA_128 . . . . . . . . . . . . . . . . . . . . . . 28
A.4.2. ARIA_192 . . . . . . . . . . . . . . . . . . . . . . 29 A.4.2. ARIA_192 . . . . . . . . . . . . . . . . . . . . . . 29
A.4.3. ARIA_256 . . . . . . . . . . . . . . . . . . . . . . 30 A.4.3. ARIA_256 . . . . . . . . . . . . . . . . . . . . . . 31
1. Introduction 1. Introduction
This document describes the use of the ARIA [RFC5794] block cipher This document describes the use of the ARIA [RFC5794] block cipher
algorithm in the Secure Real-time Transport Protocol (SRTP) [RFC3711] algorithm in the Secure Real-time Transport Protocol (SRTP) [RFC3711]
for providing confidentiality for the Real-time Transport Protocol for providing confidentiality for the Real-time Transport Protocol
(RTP) [RFC3550] traffic and for the control traffic for RTP, the (RTP) [RFC3550] traffic and for the control traffic for RTP, the RTP
Real-time Transport Control Protocol (RTCP) [RFC3550]. Control Protocol (RTCP) [RFC3550].
1.1. ARIA 1.1. ARIA
ARIA is a general-purpose block cipher algorithm developed by Korean ARIA is a general-purpose block cipher algorithm developed by Korean
cryptographers in 2003. It is an iterated block cipher with 128-, cryptographers in 2003. It is an iterated block cipher with 128-,
192-, and 256-bit keys and encrypts 128-bit blocks in 12, 14, and 16 192-, and 256-bit keys and encrypts 128-bit blocks in 12, 14, and 16
rounds, depending on the key size. It is secure and suitable for rounds, depending on the key size. It is secure and suitable for
most software and hardware implementations on 32-bit and 8-bit most software and hardware implementations on 32-bit and 8-bit
processors. It was established as a Korean standard block cipher processors. It was established as a Korean standard block cipher
algorithm in 2004 [ARIAKS] and has been widely used in Korea, algorithm in 2004 [ARIAKS] and has been widely used in Korea,
skipping to change at page 4, line 5 skipping to change at page 4, line 5
ARIA_192_CTR and ARIA_256_CTR respectively, according to the key ARIA_192_CTR and ARIA_256_CTR respectively, according to the key
lengths. The plaintext inputs to the block cipher are formed as in lengths. The plaintext inputs to the block cipher are formed as in
AES-CTR(AES_CM, AES_192_CM, AES_256_CM) and the block cipher outputs AES-CTR(AES_CM, AES_192_CM, AES_256_CM) and the block cipher outputs
are processed as in AES-CTR. are processed as in AES-CTR.
When ARIA-CTR is used, it MUST be used only in conjunction with an When ARIA-CTR is used, it MUST be used only in conjunction with an
authentication function. The ARIA-CTR crypto suites with HMAC-SHA1 authentication function. The ARIA-CTR crypto suites with HMAC-SHA1
as an authentication function are listed below. The authentication as an authentication function are listed below. The authentication
key length of all crypto suites is 20 octets. key length of all crypto suites is 20 octets.
Section 3.2 of [RFC6904] defines AES-CTR for SRTP header extension
keystream generation. When ARIA-CTR is used, the header extension
keystream SHALL be generated in the same manner except that each
invocation of AES is replaced by that of ARIA.
+---------------------------+-----------------+------------------+ +---------------------------+-----------------+------------------+
| Name | Enc. Key Length | Auth. Tag Length | | Name | Enc. Key Length | Auth. Tag Length |
+---------------------------+-----------------+------------------+ +---------------------------+-----------------+------------------+
| ARIA_128_CTR_HMAC_SHA1_80 | 16 octets | 10 octets | | ARIA_128_CTR_HMAC_SHA1_80 | 16 octets | 10 octets |
| ARIA_128_CTR_HMAC_SHA1_32 | 16 octets | 4 octets | | ARIA_128_CTR_HMAC_SHA1_32 | 16 octets | 4 octets |
| ARIA_192_CTR_HMAC_SHA1_80 | 24 octets | 10 octets | | ARIA_192_CTR_HMAC_SHA1_80 | 24 octets | 10 octets |
| ARIA_192_CTR_HMAC_SHA1_32 | 24 octets | 4 octets | | ARIA_192_CTR_HMAC_SHA1_32 | 24 octets | 4 octets |
| ARIA_256_CTR_HMAC_SHA1_80 | 32 octets | 10 octets | | ARIA_256_CTR_HMAC_SHA1_80 | 32 octets | 10 octets |
| ARIA_256_CTR_HMAC_SHA1_32 | 32 octets | 4 octets | | ARIA_256_CTR_HMAC_SHA1_32 | 32 octets | 4 octets |
+---------------------------+-----------------+------------------+ +---------------------------+-----------------+------------------+
skipping to change at page 6, line 41 skipping to change at page 6, line 46
Table 7: The ARIA_256_CTR_HMAC_SHA1_32 Crypto Suite Table 7: The ARIA_256_CTR_HMAC_SHA1_32 Crypto Suite
2.2. ARIA-GCM 2.2. ARIA-GCM
GCM(Galois Counter Mode) [GCM][RFC5116] is a AEAD(authenticated GCM(Galois Counter Mode) [GCM][RFC5116] is a AEAD(authenticated
encryption with associated data) block cipher mode. A detailed encryption with associated data) block cipher mode. A detailed
description of ARIA-GCM is defined similarly as AES-GCM found in description of ARIA-GCM is defined similarly as AES-GCM found in
[RFC5116][RFC5282]. [RFC5116][RFC5282].
The internet draft [I-D.ietf-avtcore-srtp-aes-gcm] describes the use The internet draft [I-D.ietf-avtcore-srtp-aes-gcm] describes the use
of AES-GCM with SRTP. The use of ARIA-GCM with SRTP is defined the of AES-GCM with SRTP [RFC3711][RFC6904]. The use of ARIA-GCM with
same as that of AES-GCM except that each invocation of AES is SRTP is defined the same as that of AES-GCM except that each
replaced by ARIA. invocation of AES is replaced by ARIA.
The ARIA-GCM algorithms in Table 8 may be used with SRTP and SRTCP: The ARIA-GCM algorithms in Table 8 may be used with SRTP and SRTCP:
+----------------------+-----------------+------------------+ +----------------------+-----------------+------------------+
| Name | Enc. Key Length | Auth. Tag Length | | Name | Enc. Key Length | Auth. Tag Length |
+----------------------+-----------------+------------------+ +----------------------+-----------------+------------------+
| AEAD_ARIA_128_GCM | 16 octets | 16 octets | | AEAD_ARIA_128_GCM | 16 octets | 16 octets |
| AEAD_ARIA_256_GCM | 32 octets | 16 octets | | AEAD_ARIA_256_GCM | 32 octets | 16 octets |
| AEAD_ARIA_128_GCM_8 | 16 octets | 8 octets | | AEAD_ARIA_128_GCM_8 | 16 octets | 8 octets |
| AEAD_ARIA_256_GCM_8 | 32 octets | 8 octets | | AEAD_ARIA_256_GCM_8 | 32 octets | 8 octets |
skipping to change at page 9, line 13 skipping to change at page 9, line 17
Table 14: The AEAD_ARIA_256_GCM_12 Crypto Suite Table 14: The AEAD_ARIA_256_GCM_12 Crypto Suite
2.3. ARIA-CCM 2.3. ARIA-CCM
CCM(Counter with CBC-MAC) [RFC3610][RFC5116] is another AEAD block CCM(Counter with CBC-MAC) [RFC3610][RFC5116] is another AEAD block
cipher mode. A detailed description of ARIA-CCM is defined similarly cipher mode. A detailed description of ARIA-CCM is defined similarly
as AES-CCM found in [RFC5116] [RFC6655] as AES-CCM found in [RFC5116] [RFC6655]
[I-D.ietf-avtcore-srtp-aes-gcm]. [I-D.ietf-avtcore-srtp-aes-gcm].
The internet draft [I-D.ietf-avtcore-srtp-aes-gcm] describes the use The internet draft [I-D.ietf-avtcore-srtp-aes-gcm] describes the use
of AES-CCM with SRTP. The use of ARIA-CCM with SRTP is defined the of AES-CCM with SRTP [RFC3711][RFC6904]. The use of ARIA-CCM with
same as that of AES-CCM except that each invocation of AES is SRTP is defined the same as that of AES-CCM except that each
replaced by ARIA. invocation of AES is replaced by ARIA.
The ARIA-CCM algorithms in Table 15 may be used with SRTP and SRTCP: The ARIA-CCM algorithms in Table 15 may be used with SRTP and SRTCP:
+----------------------+-----------------+------------------+ +----------------------+-----------------+------------------+
| Name | Enc. Key Length | Auth. Tag Length | | Name | Enc. Key Length | Auth. Tag Length |
+----------------------+-----------------+------------------+ +----------------------+-----------------+------------------+
| AEAD_ARIA_128_CCM | 16 octets | 16 octets | | AEAD_ARIA_128_CCM | 16 octets | 16 octets |
| AEAD_ARIA_256_CCM | 32 octets | 16 octets | | AEAD_ARIA_256_CCM | 32 octets | 16 octets |
| AEAD_ARIA_128_CCM_8 | 16 octets | 8 octets | | AEAD_ARIA_128_CCM_8 | 16 octets | 8 octets |
| AEAD_ARIA_256_CCM_8 | 32 octets | 8 octets | | AEAD_ARIA_256_CCM_8 | 32 octets | 8 octets |
skipping to change at page 11, line 51 skipping to change at page 12, line 20
Derivation Function. And SRTP_ARIA_256_CTR_HMAC, Derivation Function. And SRTP_ARIA_256_CTR_HMAC,
SRTP_AEAD_ARIA_256_GCM, and SRTP_AEAD_ARIA_256_CCM MUST use the SRTP_AEAD_ARIA_256_GCM, and SRTP_AEAD_ARIA_256_CCM MUST use the
ARIA_256_CTR_PRF Key Derivation Function. ARIA_256_CTR_PRF Key Derivation Function.
4. Security Considerations 4. Security Considerations
At the time of writing this document no security problem has been At the time of writing this document no security problem has been
found on ARIA (see [TSL]). found on ARIA (see [TSL]).
The security considerations in [RFC3610] [GCM] [RFC3711] [RFC5116] The security considerations in [RFC3610] [GCM] [RFC3711] [RFC5116]
[RFC6188] [I-D.ietf-avtcore-srtp-aes-gcm] apply to this document as [RFC6188] [RFC6904] [I-D.ietf-avtcore-srtp-aes-gcm] apply to this
well. Ciphersuites with short tag length may be considered for document as well. Ciphersuites with short tag length may be
specific application environments stated in 7.5 of [RFC3711], but the considered for specific application environments stated in 7.5 of
risk of weak authentication described in Section 9.5.1 of [RFC3711] [RFC3711], but the risk of weak authentication described in
should be taken into account. Section 9.5.1 of [RFC3711] should be taken into account.
5. IANA Considerations 5. IANA Considerations
5.1. SDES 5.1. Security Descriptions (SDES)
Security description [RFC4568] defines SRTP "crypto suites". In SDP Security Descriptions [RFC4568] defines SRTP "crypto suites". In
order to allow SDP to signal the use of the algorithms defined in order to allow SDP to signal the use of the algorithms defined in
this document, IANA is requested to add the below crypto suites to this document, IANA is requested to add the below crypto suites to
the "SRTP Crypto Suite Registrations" created by [RFC4568], at time the "SRTP Crypto Suite Registrations" created by [RFC4568], at time
of writing located on the following IANA page: http://www.iana.org/ of writing located on the following IANA page: http://www.iana.org/
assignments/sdp-security-descriptions/sdp-security-descriptions.xml assignments/sdp-security-descriptions/sdp-security-descriptions.xml
#sdp-security-descriptions-3 [1] #sdp-security-descriptions-3 [1]
srtp-crypto-suite-ext = "ARIA_128_CTR_HMAC_SHA1_80"/ srtp-crypto-suite-ext = "ARIA_128_CTR_HMAC_SHA1_80"/
"ARIA_128_CTR_HMAC_SHA1_32"/ "ARIA_128_CTR_HMAC_SHA1_32"/
"ARIA_192_CTR_HMAC_SHA1_80"/ "ARIA_192_CTR_HMAC_SHA1_80"/
skipping to change at page 18, line 16 skipping to change at page 18, line 32
5.3. MIKEY 5.3. MIKEY
[RFC3830] and [RFC5748] define encryption algorithms and PRFs for the [RFC3830] and [RFC5748] define encryption algorithms and PRFs for the
SRTP policy in MIKEY. In order to allow the use of the algorithms SRTP policy in MIKEY. In order to allow the use of the algorithms
defined in this document in MIKEY, IANA is requested to add the below defined in this document in MIKEY, IANA is requested to add the below
crypto suites to the "MIKEY Security Protocol Parameters SRTP Type 0 crypto suites to the "MIKEY Security Protocol Parameters SRTP Type 0
(Encryption algorithm)" and to add the below PRF to the "MIKEY (Encryption algorithm)" and to add the below PRF to the "MIKEY
Security Protocol Parameters SRTP Type 5 (Pseudo Random Function)" Security Protocol Parameters SRTP Type 5 (Pseudo Random Function)"
created by [RFC3830], at time of writing located on the following created by [RFC3830], at time of writing located on the following
IANA page http://www.iana.org/assignments/mikey-payloads/mikey- IANA page: http://www.iana.org/assignments/mikey-payloads/mikey-
payloads.xml#mikey-payloads-26 [3]. payloads.xml#mikey-payloads-26 [3].
+---------------+-------+ +---------------+-------+
| SRTP Enc. alg | Value | | SRTP Enc. alg | Value |
+---------------+-------+ +---------------+-------+
| ARIA-CTR | TBD | | ARIA-CTR | TBD |
| ARIA-CCM | TBD | | ARIA-CCM | TBD |
| ARIA-GCM | TBD | | ARIA-GCM | TBD |
+---------------+-------+ +---------------+-------+
skipping to change at page 20, line 23 skipping to change at page 20, line 47
[RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer
Security (DTLS) Extension to Establish Keys for the Secure Security (DTLS) Extension to Establish Keys for the Secure
Real-time Transport Protocol (SRTP)", RFC 5764, May 2010. Real-time Transport Protocol (SRTP)", RFC 5764, May 2010.
[RFC6188] McGrew, D., "The Use of AES-192 and AES-256 in Secure [RFC6188] McGrew, D., "The Use of AES-192 and AES-256 in Secure
RTP", RFC 6188, March 2011. RTP", RFC 6188, March 2011.
[RFC6655] McGrew, D. and D. Bailey, "AES-CCM Cipher Suites for [RFC6655] McGrew, D. and D. Bailey, "AES-CCM Cipher Suites for
Transport Layer Security (TLS)", RFC 6655, July 2012. Transport Layer Security (TLS)", RFC 6655, July 2012.
[RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure
Real-time Transport Protocol (SRTP)", RFC 6904, April
2013.
6.2. Informative References 6.2. Informative References
[ARIAKS] Korean Agency for Technology and Standards, "128 bit block [ARIAKS] Korean Agency for Technology and Standards, "128 bit block
encryption algorithm ARIA - Part 1: General (in Korean)", encryption algorithm ARIA - Part 1: General (in Korean)",
KS X 1213-1:2009, December 2009. KS X 1213-1:2009, December 2009.
[ARIAPKCS] [ARIAPKCS]
RSA Laboratories, "Additional PKCS #11 Mechanisms", PKCS RSA Laboratories, "Additional PKCS #11 Mechanisms", PKCS
#11 v2.20 Amendment 3 Revision 1, January 2007. #11 v2.20 Amendment 3 Revision 1, January 2007.
[I-D.ietf-avtcore-srtp-aes-gcm] [I-D.ietf-avtcore-srtp-aes-gcm]
McGrew, D. and K. Igoe, "AES-GCM and AES-CCM Authenticated McGrew, D. and K. Igoe, "AES-GCM and AES-CCM Authenticated
Encryption in Secure RTP (SRTP)", draft-ietf-avtcore-srtp- Encryption in Secure RTP (SRTP)", draft-ietf-avtcore-srtp-
aes-gcm-07 (work in progress), July 2013. aes-gcm-10 (work in progress), September 2013.
[RFC3610] Whiting, D., Housley, R., and N. Ferguson, "Counter with [RFC3610] Whiting, D., Housley, R., and N. Ferguson, "Counter with
CBC-MAC (CCM)", RFC 3610, September 2003. CBC-MAC (CCM)", RFC 3610, September 2003.
[RFC5748] Yoon, S., Jeong, J., Kim, H., Jeong, H., and Y. Won, "IANA [RFC5748] Yoon, S., Jeong, J., Kim, H., Jeong, H., and Y. Won, "IANA
Registry Update for Support of the SEED Cipher Algorithm Registry Update for Support of the SEED Cipher Algorithm
in Multimedia Internet KEYing (MIKEY)", RFC 5748, August in Multimedia Internet KEYing (MIKEY)", RFC 5748, August
2010. 2010.
[RFC5794] Lee, J., Lee, J., Kim, J., Kwon, D., and C. Kim, "A [RFC5794] Lee, J., Lee, J., Kim, J., Kwon, D., and C. Kim, "A
Description of the ARIA Encryption Algorithm", RFC 5794, Description of the ARIA Encryption Algorithm", RFC 5794,
March 2010. March 2010.
[TSL] Tang, X., Sun, B., Li, R., Li, C., and J. Yin, "A meet-in- [TSL] Tang, X., Sun, B., Li, R., Li, C., and J. Yin, "A meet-in-
the-middle attack on reduced-round ARIA", The Journal of the-middle attack on reduced-round ARIA", The Journal of
Systems and Software Vol.84(10), pp. 1685-1692, October Systems and Software Vol.84(10), pp. 1685-1692, October
2011. 2011.
Appendix A. Test Vectors Appendix A. Test Vectors
All values are in hexadecimal. All values are in hexadecimal and represented by the network order
(called big endian).
A.1. ARIA-CTR Test Vectors A.1. ARIA-CTR Test Vectors
Common values are organized as follows: Common values are organized as follows:
Rollover Counter: 00000000 Rollover Counter: 00000000
Sequence Number: 315e Sequence Number: 315e
SSRC: 20e8f5eb SSRC: 20e8f5eb
Authentication Key: f93563311b354748c97891379553063116452309 Authentication Key: f93563311b354748c97891379553063116452309
Session Salt: cd3a7c42c671e0067a2a2639b43a Session Salt: cd3a7c42c671e0067a2a2639b43a
 End of changes. 26 change blocks. 
39 lines changed or deleted 49 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/