draft-ietf-avtcore-aria-srtp-11.txt   rfc8269.txt 
AVTCore W. Kim Internet Engineering Task Force (IETF) W. Kim
Internet-Draft J. Lee Request for Comments: 8269 J. Lee
Intended status: Informational J. Park Category: Informational J. Park
Expires: February 9, 2018 D. Kwon ISSN: 2070-1721 D. Kwon
NSRI NSRI
D. Kim D. Kim
Kookmin Univ. Kookmin Univ.
August 8, 2017 October 2017
The ARIA Algorithm and Its Use with the Secure Real-time Transport The ARIA Algorithm and Its Use with
Protocol(SRTP) the Secure Real-Time Transport Protocol (SRTP)
draft-ietf-avtcore-aria-srtp-11
Abstract Abstract
This document defines the use of the ARIA block cipher algorithm This document defines the use of the ARIA block cipher algorithm
within the Secure Real-time Transport Protocol (SRTP). It details within the Secure Real-time Transport Protocol (SRTP). It details
two modes of operation (CTR, GCM) and the SRTP Key Derivation two modes of operation (CTR and GCM) and the SRTP key derivation
Functions for ARIA. Additionally, this document defines DTLS-SRTP functions for ARIA. Additionally, this document defines DTLS-SRTP
protection profiles and MIKEY parameter sets for the use with ARIA. protection profiles and Multimedia Internet KEYing (MIKEY) parameter
sets for use with ARIA.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This document is not an Internet Standards Track specification; it is
provisions of BCP 78 and BCP 79. published for informational purposes.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 7841.
This Internet-Draft will expire on February 9, 2018. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc8269.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. ARIA . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. ARIA . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Cryptographic Transforms . . . . . . . . . . . . . . . . . . 3 2. Cryptographic Transforms . . . . . . . . . . . . . . . . . . 3
2.1. ARIA-CTR . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. ARIA-CTR . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2. ARIA-GCM . . . . . . . . . . . . . . . . . . . . . . . . 3 2.2. ARIA-GCM . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Key Derivation Functions . . . . . . . . . . . . . . . . . . 4 3. Key Derivation Functions . . . . . . . . . . . . . . . . . . 4
4. Protection Profiles . . . . . . . . . . . . . . . . . . . . . 4 4. Protection Profiles . . . . . . . . . . . . . . . . . . . . . 4
5. Security Considerations . . . . . . . . . . . . . . . . . . . 7 5. Security Considerations . . . . . . . . . . . . . . . . . . . 7
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
6.1. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . . 7 6.1. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . . 8
6.2. MIKEY . . . . . . . . . . . . . . . . . . . . . . . . . . 8 6.2. MIKEY . . . . . . . . . . . . . . . . . . . . . . . . . . 8
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
7.1. Normative References . . . . . . . . . . . . . . . . . . 8 7.1. Normative References . . . . . . . . . . . . . . . . . . 9
7.2. Informative References . . . . . . . . . . . . . . . . . 10 7.2. Informative References . . . . . . . . . . . . . . . . . 11
Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 11 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 12
A.1. ARIA-CTR Test Vectors . . . . . . . . . . . . . . . . . . 11 A.1. ARIA-CTR Test Vectors . . . . . . . . . . . . . . . . . . 12
A.1.1. SRTP_ARIA_128_CTR_HMAC_SHA1_80 . . . . . . . . . . . 11 A.1.1. SRTP_ARIA_128_CTR_HMAC_SHA1_80 . . . . . . . . . . . 12
A.1.2. SRTP_ARIA_256_CTR_HMAC_SHA1_80 . . . . . . . . . . . 12 A.1.2. SRTP_ARIA_256_CTR_HMAC_SHA1_80 . . . . . . . . . . . 13
A.2. ARIA-GCM Test Vectors . . . . . . . . . . . . . . . . . . 13 A.2. ARIA-GCM Test Vectors . . . . . . . . . . . . . . . . . . 14
A.2.1. SRTP_AEAD_ARIA_128_GCM . . . . . . . . . . . . . . . 14 A.2.1. SRTP_AEAD_ARIA_128_GCM . . . . . . . . . . . . . . . 14
A.2.2. SRTP_AEAD_ARIA_256_GCM . . . . . . . . . . . . . . . 14 A.2.2. SRTP_AEAD_ARIA_256_GCM . . . . . . . . . . . . . . . 15
A.3. Key Derivation Test Vector . . . . . . . . . . . . . . . 15 A.3. Key Derivation Test Vectors . . . . . . . . . . . . . . . 15
A.3.1. ARIA_128_CTR_PRF . . . . . . . . . . . . . . . . . . 15 A.3.1. ARIA_128_CTR_PRF . . . . . . . . . . . . . . . . . . 15
A.3.2. ARIA_256_CTR_PRF . . . . . . . . . . . . . . . . . . 16 A.3.2. ARIA_256_CTR_PRF . . . . . . . . . . . . . . . . . . 17
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19
1. Introduction 1. Introduction
This document defines the use of the ARIA [RFC5794] block cipher This document defines the use of the ARIA block cipher algorithm
algorithm in the Secure Real-time Transport Protocol (SRTP) [RFC3711] [RFC5794] in the Secure Real-time Transport Protocol (SRTP) [RFC3711]
for providing confidentiality for the Real-time Transport Protocol for providing confidentiality for Real-time Transport Protocol (RTP)
(RTP) [RFC3550] traffic and for the RTP Control Protocol (RTCP) [RFC3550] traffic and for RTP Control Protocol (RTCP) [RFC3550]
[RFC3550] traffic. traffic.
1.1. ARIA 1.1. ARIA
ARIA is a general-purpose block cipher algorithm developed by Korean ARIA is a general-purpose block cipher algorithm developed by Korean
cryptographers in 2003. It is an iterated block cipher with 128-, cryptographers in 2003. It is an iterated block cipher with 128-,
192-, and 256-bit keys and encrypts 128-bit blocks in 12, 14, and 16 192-, and 256-bit keys and encrypts 128-bit blocks in 12, 14, and 16
rounds, depending on the key size. It is secure and suitable for rounds, depending on the key size. It is secure and suitable for
most software and hardware implementations on 32-bit and 8-bit most software and hardware implementations on 32-bit and 8-bit
processors. It was established as a Korean standard block cipher processors. It was established as a Korean standard block cipher
algorithm in 2004 [ARIAKS] and has been widely used in Korea, algorithm in 2004 [ARIAKS] and has been widely used in Korea,
especially for government-to-public services. It was included in especially for government-to-public services. It was included in
PKCS #11 in 2007 [ARIAPKCS]. The algorithm specification and object Public-Key Cryptography Standards (PKCS) #11 in 2007 [ARIAPKCS]. The
identifiers are described in [RFC5794]. algorithm specification and object identifiers are described in
[RFC5794].
1.2. Terminology 1.2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
document are to be interpreted as described in [RFC2119]. "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
2. Cryptographic Transforms 2. Cryptographic Transforms
Block ciphers ARIA and AES share common characteristics including Block ciphers ARIA and AES share common characteristics including
mode, key size, and block size. ARIA does not have any restrictions mode, key size, and block size. ARIA does not have any restrictions
for modes of operation that are used with this block cipher. We for modes of operation that are used with this block cipher. We
define two modes of running ARIA within the SRTP protocol, (1) ARIA define two modes of running ARIA within SRTP: (1) ARIA in Counter
in Counter Mode (ARIA-CTR) and (2) ARIA in Galois/Counter Mode (ARIA- Mode (ARIA-CTR) and (2) ARIA in Galois/Counter Mode (ARIA-GCM).
GCM).
2.1. ARIA-CTR 2.1. ARIA-CTR
Section 4.1.1 of [RFC3711] defines AES-128 counter mode encryption, Section 4.1.1 of [RFC3711] defines AES-128 counter mode encryption,
which it refers to as "AES_CM". Section 2 of [RFC6188] defines which it refers to as "AES_CM". Section 2 of [RFC6188] defines
"AES_256_CM" in SRTP. ARIA counter modes are defined in the same "AES_256_CM" in SRTP. ARIA counter modes are defined in the same
manner except that each invocation of AES is replaced by that of ARIA manner except that each invocation of AES is replaced by that of ARIA
[RFC5794], and are denoted by ARIA_128_CTR and ARIA_256_CTR, [RFC5794] and are denoted by ARIA_128_CTR and ARIA_256_CTR,
respectively, according to the key lengths. The plaintext inputs to respectively, according to the key lengths. The plaintext inputs to
the block cipher are formed as in AES-CTR(AES_CM, AES_256_CM) and the the block cipher are formed as in AES-CTR (AES_CM, AES_256_CM) and
block cipher outputs are processed as in AES-CTR. Note that, ARIA- the block cipher outputs are processed as in AES-CTR. Note that,
CTR MUST be used only in conjunction with an authentication ARIA-CTR MUST be used only in conjunction with an authentication
transform. transform.
Section 3.2 of [RFC6904] defines AES-CTR for SRTP header extension Section 3.2 of [RFC6904] defines AES-CTR for SRTP header extension
keystream generation. When ARIA-CTR is used, the header extension keystream generation. When ARIA-CTR is used, the header extension
keystream SHALL be generated in the same manner except that each keystream SHALL be generated in the same manner except that each
invocation of AES is replaced by that of ARIA [RFC5794]. invocation of AES is replaced by that of ARIA [RFC5794].
2.2. ARIA-GCM 2.2. ARIA-GCM
GCM (Galois Counter Mode) [GCM][RFC5116] is an AEAD (Authenticated Galois/Counter Mode [GCM] [RFC5116] is an Authenticated Encryption
Encryption with Associated Data) block cipher mode. A detailed with Associated Data (AEAD) block cipher mode. A detailed
description of ARIA-GCM is defined similarly as AES-GCM found in description of ARIA-GCM is defined similarly as AES-GCM found in
[RFC5116][RFC5282]. [RFC5116] and [RFC5282].
The document [RFC7714] describes the use of AES-GCM with SRTP [RFC7714] describes the use of AES-GCM with SRTP. The use of ARIA-
[RFC3711][RFC6904]. The use of ARIA-GCM with SRTP is defined the GCM with SRTP is defined the same as AES-GCM except that each
same as that of AES-GCM except that each invocation of AES is invocation of AES is replaced by ARIA [RFC5794]. When encryption of
replaced by ARIA [RFC5794]. When encryption of header extensions header extensions [RFC6904] is in use, a separate keystream to
[RFC6904] is in use, a separate keystream to encrypt selected RTP encrypt selected RTP header extension elements MUST be generated in
header extension elements MUST be generated in the same manner the same manner defined in [RFC7714] except that AES-CTR is replaced
defined in [RFC7714] except that AES-CTR is replaced by ARIA-CTR. by ARIA-CTR.
3. Key Derivation Functions 3. Key Derivation Functions
Section 4.3.3 of [RFC3711] defines the AES-128 counter mode key Section 4.3.3 of [RFC3711] defines the AES-128 counter mode key
derivation function, which it refers to as "AES-CM PRF". Section 3 derivation function, which it refers to as "AES-CM PRF". Section 3
of [RFC6188] defines the AES-256 counter mode key derivation of [RFC6188] defines the AES-256 counter mode key derivation
function, which it refers to as "AES_256_CM_PRF". The ARIA-CTR PRF function, which it refers to as "AES_256_CM_PRF". The ARIA-CTR
is defined in a same manner except that each invocation of AES is Pseudorandom Function (PRF) is defined in a same manner except that
replaced by that of ARIA. According to the key lengths of underlying each invocation of AES is replaced by that of ARIA. According to the
encryption algorithm, ARIA-CTR PRFs are denoted by "ARIA_128_CTR_PRF" key lengths of the underlying encryption algorithm, ARIA-CTR PRFs are
and "ARIA_256_CTR_PRF". The usage requirements of [RFC6188][RFC7714] denoted by "ARIA_128_CTR_PRF" and "ARIA_256_CTR_PRF". The usage
regarding the AES-CM PRF apply to the ARIA-CTR PRF as well. requirements of [RFC6188] and [RFC7714] regarding the AES-CM PRF
apply to the ARIA-CTR PRF as well.
4. Protection Profiles 4. Protection Profiles
This section defines SRTP Protection Profiles that use the ARIA This section defines SRTP protection profiles that use the ARIA
transforms and key derivation functions defined in this document. transforms and key derivation functions defined in this document.
The following list indicates the SRTP transform parameters for each The following list indicates the SRTP transform parameters for each
protection profile. Those are described for use with DTLS-SRTP protection profile. Those are described for use with DTLS-SRTP
[RFC5764]. [RFC5764].
The parameters cipher_key_length, cipher_salt_length, The parameters cipher_key_length, cipher_salt_length,
auth_key_length, and auth_tag_length express the number of bits in auth_key_length, and auth_tag_length express the number of bits in
the values to which they refer. The maximum_lifetime parameter the values to which they refer. The maximum_lifetime parameter
indicates the maximum number of packets that can be protected with indicates the maximum number of packets that can be protected with
each single set of keys when the parameter profile is in use. All of each single set of keys when the parameter profile is in use. All of
skipping to change at page 6, line 15 skipping to change at page 6, line 42
cipher_salt_length: 96 bits cipher_salt_length: 96 bits
aead_auth_tag_length: 128 bits aead_auth_tag_length: 128 bits
auth_function: NULL auth_function: NULL
auth_key_length: N/A auth_key_length: N/A
auth_tag_length: N/A auth_tag_length: N/A
key derivation function: ARIA_256_CTR_PRF key derivation function: ARIA_256_CTR_PRF
maximum_lifetime: at most 2^31 SRTCP packets and maximum_lifetime: at most 2^31 SRTCP packets and
at most 2^48 SRTP packets at most 2^48 SRTP packets
The ARIA-CTR protection profiles use the same authentication The ARIA-CTR protection profiles use the same authentication
transform that is mandatory to implement in SRTP, HMAC-SHA1 with a transform that is mandatory to implement in SRTP: HMAC-SHA1 with a
160-bit key. 160-bit key.
Note that SRTP Protection Profiles that use AEAD algorithms do not Note that SRTP protection profiles that use AEAD algorithms do not
specify an auth_function, auth_key_length, or auth_tag_length, since specify an auth_function, auth_key_length, or auth_tag_length, since
they do not use a separate auth_function, auth_key, or auth_tag. The they do not use a separate auth_function, auth_key, or auth_tag. The
term aead_auth_tag_length is used to emphasize that this refers to term aead_auth_tag_length is used to emphasize that this refers to
the authentication tag provided by the AEAD algorithm and that this the authentication tag provided by the AEAD algorithm and that this
tag is not located in the authentication tag field provided by SRTP/ tag is not located in the authentication tag field provided by SRTP/
SRTCP. SRTCP.
The PRFs for ARIA protection profiles are defined by ARIA-CTR PRF of The PRFs for ARIA protection profiles are defined by ARIA-CTR PRF of
the equal key length with the encryption algorithm (see Section 2). the equal key length with the encryption algorithm (see Section 2).
SRTP_ARIA_128_CTR_HMAC and SRTP_AEAD_ARIA_128_GCM MUST use the SRTP_ARIA_128_CTR_HMAC and SRTP_AEAD_ARIA_128_GCM MUST use the
ARIA_128_CTR_PRF Key Derivation Function. And SRTP_ARIA_256_CTR_HMAC ARIA_128_CTR_PRF key derivation function. And SRTP_ARIA_256_CTR_HMAC
and SRTP_AEAD_ARIA_256_GCM MUST use the ARIA_256_CTR_PRF Key and SRTP_AEAD_ARIA_256_GCM MUST use the ARIA_256_CTR_PRF key
Derivation Function. derivation function.
MIKEY specifies the SRTP protection profile definition separately MIKEY specifies the SRTP protection profile definition separately
from the key length (which is specified by the Session Encryption key from the key length (which is specified by the session encryption key
length) and the authentication tag length. The DTLS-SRTP [RFC5764] length) and the authentication tag length. The DTLS-SRTP [RFC5764]
protection profiles are mapped to MIKEY parameter sets as shown protection profiles are mapped to MIKEY parameter sets as shown
below. below.
+--------------------------------------+ +--------------------------------------+
| Encryption | Encryption | Auth. | | Encryption | Encryption | Auth. |
| Algorithm | Key Length | Tag Length | | Algorithm | Key Length | Tag Length |
+======================================+ +======================================+
SRTP_ARIA_128_CTR_HMAC_80 | ARIA-CTR | 16 octets | 10 octets | SRTP_ARIA_128_CTR_HMAC_80 | ARIA-CTR | 16 octets | 10 octets |
SRTP_ARIA_128_CTR_HMAC_32 | ARIA-CTR | 16 octets | 4 octets | SRTP_ARIA_128_CTR_HMAC_32 | ARIA-CTR | 16 octets | 4 octets |
SRTP_ARIA_256_CTR_HMAC_80 | ARIA-CTR | 32 octets | 10 octets | SRTP_ARIA_256_CTR_HMAC_80 | ARIA-CTR | 32 octets | 10 octets |
SRTP_ARIA_256_CTR_HMAC_32 | ARIA-CTR | 32 octets | 4 octets | SRTP_ARIA_256_CTR_HMAC_32 | ARIA-CTR | 32 octets | 4 octets |
+======================================+ +======================================+
Figure 1: Mapping MIKEY parameters to ARIA-CTR with HMAC algorithm Figure 1: Mapping MIKEY Parameters to ARIA-CTR with the HMAC
Algorithm
+--------------------------------------+ +--------------------------------------+
| Encryption | Encryption | AEAD Auth. | | Encryption | Encryption | AEAD Auth. |
| Algorithm | Key Length | Tag Length | | Algorithm | Key Length | Tag Length |
+======================================+ +======================================+
SRTP_AEAD_ARIA_128_GCM | ARIA-GCM | 16 octets | 16 octets | SRTP_AEAD_ARIA_128_GCM | ARIA-GCM | 16 octets | 16 octets |
SRTP_AEAD_ARIA_256_GCM | ARIA-GCM | 32 octets | 16 octets | SRTP_AEAD_ARIA_256_GCM | ARIA-GCM | 32 octets | 16 octets |
+======================================+ +======================================+
Figure 2: Mapping MIKEY parameters to AEAD algorithm Figure 2: Mapping MIKEY Parameters to the ARIA-GCM Algorithm
5. Security Considerations 5. Security Considerations
At the time of publication of this document no security problem has At the time of publication of this document, no security problem has
been found on ARIA. Previous security analysis results are been found on ARIA. Previous security analysis results are
summarized in [ATY]. summarized in [ATY].
The security considerations in [GCM] [RFC3711] [RFC5116] [RFC6188] The security considerations in [GCM], [RFC3711], [RFC5116],
[RFC6904] [RFC7714] apply to this document as well. This document [RFC6188], [RFC6904], and [RFC7714] apply to this document as well.
includes crypto suites with authentication tags of length less than This document includes crypto suites with authentication tags of a
80 bits. These suites MAY be used for certain application contexts length less than 80 bits. These suites MAY be used for certain
where longer authentication tags may be undesirable, for example, application contexts where longer authentication tags may be
those mentioned in [RFC3711] section 7.5. Otherwise, short undesirable, for example, those mentioned in [RFC3711], Section 7.5.
authentication tags SHOULD NOT be used, since may reduce
authentication strength. See [RFC3711] section 9.5 for a discussion Otherwise, short authentication tags SHOULD NOT be used, since they
of risks related to weak authentication in SRTP. may reduce authentication strength. See [RFC3711], Section 9.5 for a
discussion of risks related to weak authentication in SRTP.
At the time of publication of this document, SRTP recommends HMAC- At the time of publication of this document, SRTP recommends HMAC-
SHA1 as the default and mandatory-to-implement MAC algorithm. All SHA1 as the default and mandatory-to-implement MAC algorithm. All
currently registered SRTP crypto suites except the GCM based ones use currently registered SRTP crypto suites except the GCM-based ones use
HMAC-SHA1 as their HMAC algorithm to provide message authentication. HMAC-SHA1 as their HMAC algorithm to provide message authentication.
Due to security concerns with SHA-1 [RFC6194], the IETF is gradually Due to security concerns with SHA-1 [RFC6194], the IETF is gradually
moving away from SHA-1 and towards stronger hash algorithms such as moving away from SHA-1 and towards stronger hash algorithms such as
SHA-2 or SHA-3 families. For SRTP, however, SHA-1 is only used in SHA-2 or SHA-3 families. For SRTP, however, SHA-1 is only used in
the calculation of an HMAC, and no security issue is known for this the calculation of an HMAC, and no security issue is known for this
usage at the time of this publication. usage at the time of this publication.
6. IANA Considerations 6. IANA Considerations
6.1. DTLS-SRTP 6.1. DTLS-SRTP
DTLS-SRTP [RFC5764] defines a DTLS-SRTP "SRTP Protection Profile". DTLS-SRTP [RFC5764] defines a DTLS-SRTP "SRTP protection profile".
In order to allow the use of the algorithms defined in this document In order to allow the use of the algorithms defined in this document
in DTLS-SRTP, IANA is requested to add the protection profiles below in DTLS-SRTP, IANA has added the following protection profiles below
to the "DTLS-SRTP Protection Profiles" created by [RFC5764], located to the "DTLS-SRTP Protection Profiles" registry (see
on the following IANA page at time of writing: <http://www.iana.org/assignments/srtp-protection/>) created by
http://www.iana.org/assignments/srtp-protection/. [RFC5764]:
SRTP_ARIA_128_CTR_HMAC_SHA1_80 = {TBD,TBD} SRTP_ARIA_128_CTR_HMAC_SHA1_80 = {0x00, 0x0B}
SRTP_ARIA_128_CTR_HMAC_SHA1_32 = {TBD,TBD} SRTP_ARIA_128_CTR_HMAC_SHA1_32 = {0x00, 0x0C}
SRTP_ARIA_256_CTR_HMAC_SHA1_80 = {TBD,TBD} SRTP_ARIA_256_CTR_HMAC_SHA1_80 = {0x00, 0x0D}
SRTP_ARIA_256_CTR_HMAC_SHA1_32 = {TBD,TBD} SRTP_ARIA_256_CTR_HMAC_SHA1_32 = {0x00, 0x0E}
SRTP_AEAD_ARIA_128_GCM = {TBD,TBD} SRTP_AEAD_ARIA_128_GCM = {0x00, 0x0F}
SRTP_AEAD_ARIA_256_GCM = {TBD,TBD} SRTP_AEAD_ARIA_256_GCM = {0x00, 0x10}
6.2. MIKEY 6.2. MIKEY
[RFC3830] and [RFC5748] define encryption algorithms and PRFs for the [RFC3830] and [RFC5748] define encryption algorithms and PRFs for the
SRTP policy in MIKEY. In order to allow the use of the algorithms SRTP policy in MIKEY. In order to allow the use of the algorithms
defined in this document in MIKEY, IANA is requested to add the two defined in this document in MIKEY, IANA has updated the "Multimedia
encryption algorithms below to the "MIKEY Security Protocol Internet KEYing (MIKEY) Payload Name Spaces" registry (see
Parameters SRTP Type 0 (Encryption algorithm)" and to add the PRF <http://www.iana.org/assignments/mikey-payloads/>.)
below to the "MIKEY Security Protocol Parameters SRTP Type 5 (Pseudo IANA has registered the following two encryption algorithms in the
Random Function)" created by [RFC3830], located on the following IANA "Encryption algorithm (Value 0)" subregistry within the "MIKEY
page at time of writing: http://www.iana.org/assignments/mikey- Security Protocol Parameters" registry:
payloads/.
+---------------+-------+ +---------------+-------+
| SRTP Enc. alg | Value | | SRTP encr alg | Value |
+---------------+-------+ +---------------+-------+
| ARIA-CTR | TBD | | ARIA-CTR | 7 |
| ARIA-GCM | TBD | | ARIA-GCM | 8 |
+---------------+-------+ +---------------+-------+
Default session encryption key length is 16 octets. The default session encryption key length is 16 octets.
IANA has registered the following PRF in the "SRTP Pseudo Random
Function (Value 5)" subregistry within the "MIKEY Security Protocol
Parameters" registry:
+----------+-------+ +----------+-------+
| SRTP PRF | Value | | SRTP PRF | Value |
+----------+-------+ +----------+-------+
| ARIA-CTR | TBD | | ARIA-CTR | 2 |
+----------+-------+ +----------+-------+
7. References 7. References
7.1. Normative References 7.1. Normative References
[GCM] Dworkin, M., "Recommendation for Block Cipher Modes of [GCM] Dworkin, M., "Recommendation for Block Cipher Modes of
Operation: Galois/Counter Mode (GCM) and GMAC", NIST Operation: Galois/Counter Mode (GCM) and GMAC", NIST
SP 800-38D, November 2007. Special publication 800-38D, DOI 10.6028/NIST.SP.800-38D,
November 2007.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V.
Jacobson, "RTP: A Transport Protocol for Real-Time Jacobson, "RTP: A Transport Protocol for Real-Time
Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550, Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550,
July 2003, <http://www.rfc-editor.org/info/rfc3550>. July 2003, <https://www.rfc-editor.org/info/rfc3550>.
[RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
Norrman, "The Secure Real-time Transport Protocol (SRTP)", Norrman, "The Secure Real-time Transport Protocol (SRTP)",
RFC 3711, DOI 10.17487/RFC3711, March 2004, RFC 3711, DOI 10.17487/RFC3711, March 2004,
<http://www.rfc-editor.org/info/rfc3711>. <https://www.rfc-editor.org/info/rfc3711>.
[RFC3830] Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and K. [RFC3830] Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and K.
Norrman, "MIKEY: Multimedia Internet KEYing", RFC 3830, Norrman, "MIKEY: Multimedia Internet KEYing", RFC 3830,
DOI 10.17487/RFC3830, August 2004, DOI 10.17487/RFC3830, August 2004,
<http://www.rfc-editor.org/info/rfc3830>. <https://www.rfc-editor.org/info/rfc3830>.
[RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated
Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008, Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008,
<http://www.rfc-editor.org/info/rfc5116>. <https://www.rfc-editor.org/info/rfc5116>.
[RFC5282] Black, D. and D. McGrew, "Using Authenticated Encryption [RFC5282] Black, D. and D. McGrew, "Using Authenticated Encryption
Algorithms with the Encrypted Payload of the Internet Key Algorithms with the Encrypted Payload of the Internet Key
Exchange version 2 (IKEv2) Protocol", RFC 5282, Exchange version 2 (IKEv2) Protocol", RFC 5282,
DOI 10.17487/RFC5282, August 2008, DOI 10.17487/RFC5282, August 2008,
<http://www.rfc-editor.org/info/rfc5282>. <https://www.rfc-editor.org/info/rfc5282>.
[RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer
Security (DTLS) Extension to Establish Keys for the Secure Security (DTLS) Extension to Establish Keys for the Secure
Real-time Transport Protocol (SRTP)", RFC 5764, Real-time Transport Protocol (SRTP)", RFC 5764,
DOI 10.17487/RFC5764, May 2010, DOI 10.17487/RFC5764, May 2010,
<http://www.rfc-editor.org/info/rfc5764>. <https://www.rfc-editor.org/info/rfc5764>.
[RFC5794] Lee, J., Lee, J., Kim, J., Kwon, D., and C. Kim, "A [RFC5794] Lee, J., Lee, J., Kim, J., Kwon, D., and C. Kim, "A
Description of the ARIA Encryption Algorithm", RFC 5794, Description of the ARIA Encryption Algorithm", RFC 5794,
DOI 10.17487/RFC5794, March 2010, DOI 10.17487/RFC5794, March 2010,
<http://www.rfc-editor.org/info/rfc5794>. <https://www.rfc-editor.org/info/rfc5794>.
[RFC6188] McGrew, D., "The Use of AES-192 and AES-256 in Secure [RFC6188] McGrew, D., "The Use of AES-192 and AES-256 in Secure
RTP", RFC 6188, DOI 10.17487/RFC6188, March 2011, RTP", RFC 6188, DOI 10.17487/RFC6188, March 2011,
<http://www.rfc-editor.org/info/rfc6188>. <https://www.rfc-editor.org/info/rfc6188>.
[RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure [RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure
Real-time Transport Protocol (SRTP)", RFC 6904, Real-time Transport Protocol (SRTP)", RFC 6904,
DOI 10.17487/RFC6904, April 2013, DOI 10.17487/RFC6904, April 2013,
<http://www.rfc-editor.org/info/rfc6904>. <https://www.rfc-editor.org/info/rfc6904>.
[RFC7714] McGrew, D. and K. Igoe, "AES-GCM Authenticated Encryption [RFC7714] McGrew, D. and K. Igoe, "AES-GCM Authenticated Encryption
in the Secure Real-time Transport Protocol (SRTP)", in the Secure Real-time Transport Protocol (SRTP)",
RFC 7714, DOI 10.17487/RFC7714, December 2015, RFC 7714, DOI 10.17487/RFC7714, December 2015,
<http://www.rfc-editor.org/info/rfc7714>. <https://www.rfc-editor.org/info/rfc7714>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
7.2. Informative References 7.2. Informative References
[ARIAKS] Korean Agency for Technology and Standards, "128 bit block [ARIAKS] Korean Agency for Technology and Standards, "128 bit block
encryption algorithm ARIA - Part 1: General (in Korean)", encryption algorithm ARIA - Part 1: General (in Korean)",
KS X 1213-1:2009, December 2009. KS X 1213-1:2014, December 2014.
[ARIAPKCS] [ARIAPKCS]
RSA Laboratories, "Additional PKCS #11 Mechanisms", RSA Laboratories, "Additional PKCS #11 Mechanisms",
PKCS #11 v2.20 Amendment 3 Revision 1, January 2007. PKCS #11 v2.20, Amendment 3, Revision 1, January 2007.
[ATY] Abdelkhalek, A., Tolba, M., and A. Youssef, "Improved [ATY] Abdelkhalek, A., Tolba, M., and A. Youssef, "Improved
linear cryptanalysis of round-reduced ARIA", Information Linear Cryptanalysis of Round-Reduced ARIA", Information
Security - ISC 2016, Lecture Notes in Computer Science Security - ISC 2016, Lecture Notes in Computer Science
(LNCS) Vol. 9866, pp. 18-34, September 2016. (LNCS), Vol. 9866, pp. 18-34,
DOI 10.1007/978-3-319-45871-7_2, September 2016.
[RFC5748] Yoon, S., Jeong, J., Kim, H., Jeong, H., and Y. Won, "IANA [RFC5748] Yoon, S., Jeong, J., Kim, H., Jeong, H., and Y. Won, "IANA
Registry Update for Support of the SEED Cipher Algorithm Registry Update for Support of the SEED Cipher Algorithm
in Multimedia Internet KEYing (MIKEY)", RFC 5748, in Multimedia Internet KEYing (MIKEY)", RFC 5748,
DOI 10.17487/RFC5748, August 2010, DOI 10.17487/RFC5748, August 2010,
<http://www.rfc-editor.org/info/rfc5748>. <https://www.rfc-editor.org/info/rfc5748>.
[RFC6194] Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security [RFC6194] Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security
Considerations for the SHA-0 and SHA-1 Message-Digest Considerations for the SHA-0 and SHA-1 Message-Digest
Algorithms", RFC 6194, DOI 10.17487/RFC6194, March 2011, Algorithms", RFC 6194, DOI 10.17487/RFC6194, March 2011,
<http://www.rfc-editor.org/info/rfc6194>. <https://www.rfc-editor.org/info/rfc6194>.
Appendix A. Test Vectors Appendix A. Test Vectors
All values are in hexadecimal and represented by the network order All values are in hexadecimal and represented by the network order
(called big endian). (called big endian).
A.1. ARIA-CTR Test Vectors A.1. ARIA-CTR Test Vectors
Common values are organized as follows: Common values are organized as follows:
Rollover Counter: 00000000 Rollover Counter: 00000000
Sequence Number: 315e Sequence Number: 315e
SSRC: 20e8f5eb SSRC: 20e8f5eb
Authentication Key: f93563311b354748c978913795530631 Authentication Key: f93563311b354748c978913795530631
16452309 16452309
Session Salt: cd3a7c42c671e0067a2a2639b43a Session Salt: cd3a7c42c671e0067a2a2639b43a
Initialization Vector: cd3a7c42e69915ed7a2a263985640000 Initialization Vector: cd3a7c42e69915ed7a2a263985640000
RTP header: 8008315ebf2e6fe020e8f5eb RTP Header: 8008315ebf2e6fe020e8f5eb
RTP Payload: f57af5fd4ae19562976ec57a5a7ad55a RTP Payload: f57af5fd4ae19562976ec57a5a7ad55a
5af5c5e5c5fdf5c55ad57a4a7272d572 5af5c5e5c5fdf5c55ad57a4a7272d572
62e9729566ed66e97ac54a4a5a7ad5e1 62e9729566ed66e97ac54a4a5a7ad5e1
5ae5fdd5fd5ac5d56ae56ad5c572d54a 5ae5fdd5fd5ac5d56ae56ad5c572d54a
e54ac55a956afd6aed5a4ac562957a95 e54ac55a956afd6aed5a4ac562957a95
16991691d572fd14e97ae962ed7a9f4a 16991691d572fd14e97ae962ed7a9f4a
955af572e162f57a956666e17ae1f54a 955af572e162f57a956666e17ae1f54a
95f566d54a66e16e4afd6a9f7ae1c5c5 95f566d54a66e16e4afd6a9f7ae1c5c5
5ae5d56afde916c5e94a6ec56695e14a 5ae5d56afde916c5e94a6ec56695e14a
fde1148416e94ad57ac5146ed59d1cc5 fde1148416e94ad57ac5146ed59d1cc5
Note:
SSRC = Synchronization Source
A.1.1. SRTP_ARIA_128_CTR_HMAC_SHA1_80 A.1.1. SRTP_ARIA_128_CTR_HMAC_SHA1_80
Session Key: 0c5ffd37a11edc42c325287fc0604f2e Session Key: 0c5ffd37a11edc42c325287fc0604f2e
Encrypted RTP Payload: 1bf753f412e6f35058cc398dc851aae3 Encrypted RTP Payload: 1bf753f412e6f35058cc398dc851aae3
a6ccdcb463fbed9cfb3de2fb76fdffa9 a6ccdcb463fbed9cfb3de2fb76fdffa9
e481f5efb64c92487f59dabbc7cc72da e481f5efb64c92487f59dabbc7cc72da
092485f3fbad87888820b86037311fa4 092485f3fbad87888820b86037311fa4
4330e18a59a1e1338ba2c21458493a57 4330e18a59a1e1338ba2c21458493a57
463475c54691f91cec785429119e0dfc 463475c54691f91cec785429119e0dfc
d9048f90e07fecd50b528e8c62ee6e71 d9048f90e07fecd50b528e8c62ee6e71
445de5d7f659405135aff3604c2ca4ff 445de5d7f659405135aff3604c2ca4ff
skipping to change at page 12, line 17 skipping to change at page 13, line 5
a6ccdcb463fbed9cfb3de2fb76fdffa9 a6ccdcb463fbed9cfb3de2fb76fdffa9
e481f5efb64c92487f59dabbc7cc72da e481f5efb64c92487f59dabbc7cc72da
092485f3fbad87888820b86037311fa4 092485f3fbad87888820b86037311fa4
4330e18a59a1e1338ba2c21458493a57 4330e18a59a1e1338ba2c21458493a57
463475c54691f91cec785429119e0dfc 463475c54691f91cec785429119e0dfc
d9048f90e07fecd50b528e8c62ee6e71 d9048f90e07fecd50b528e8c62ee6e71
445de5d7f659405135aff3604c2ca4ff 445de5d7f659405135aff3604c2ca4ff
4aaca40809cb9eee42cc4ad232307570 4aaca40809cb9eee42cc4ad232307570
81ca289f2851d3315e9568b501fdce6d 81ca289f2851d3315e9568b501fdce6d
Authenticated portion || Rollover Counter: Authenticated Portion || Rollover Counter:
8008315ebf2e6fe020e8f5eb1bf753f4 8008315ebf2e6fe020e8f5eb1bf753f4
12e6f35058cc398dc851aae3a6ccdcb4 12e6f35058cc398dc851aae3a6ccdcb4
63fbed9cfb3de2fb76fdffa9e481f5ef 63fbed9cfb3de2fb76fdffa9e481f5ef
b64c92487f59dabbc7cc72da092485f3 b64c92487f59dabbc7cc72da092485f3
fbad87888820b86037311fa44330e18a fbad87888820b86037311fa44330e18a
59a1e1338ba2c21458493a57463475c5 59a1e1338ba2c21458493a57463475c5
4691f91cec785429119e0dfcd9048f90 4691f91cec785429119e0dfcd9048f90
e07fecd50b528e8c62ee6e71445de5d7 e07fecd50b528e8c62ee6e71445de5d7
f659405135aff3604c2ca4ff4aaca408 f659405135aff3604c2ca4ff4aaca408
09cb9eee42cc4ad23230757081ca289f 09cb9eee42cc4ad23230757081ca289f
skipping to change at page 13, line 18 skipping to change at page 13, line 36
17ccd7471088af9debf07b55c750f804 17ccd7471088af9debf07b55c750f804
a5ac2b737be48140958a9b420524112a a5ac2b737be48140958a9b420524112a
e72e4da5bca59d2b1019ddd7dbdc30b4 e72e4da5bca59d2b1019ddd7dbdc30b4
3d5f046152ced40947d62d2c93e7b8e5 3d5f046152ced40947d62d2c93e7b8e5
0f02db2b6b61b010e4c1566884de1fa9 0f02db2b6b61b010e4c1566884de1fa9
702cdf8157e8aedfe3dd77c76bb50c25 702cdf8157e8aedfe3dd77c76bb50c25
ae4d624615c15acfdeeb5f79482aaa01 ae4d624615c15acfdeeb5f79482aaa01
d3e4c05eb601eca2bd10518e9d46b021 d3e4c05eb601eca2bd10518e9d46b021
16359232e9eac0fabd05235dd09e6dea 16359232e9eac0fabd05235dd09e6dea
Authenticated portion || Rollover Counter: Authenticated Portion || Rollover Counter:
8008315ebf2e6fe020e8f5ebc424c59f 8008315ebf2e6fe020e8f5ebc424c59f
d5696305e5b13d8e8ca7656617ccd747 d5696305e5b13d8e8ca7656617ccd747
1088af9debf07b55c750f804a5ac2b73 1088af9debf07b55c750f804a5ac2b73
7be48140958a9b420524112ae72e4da5 7be48140958a9b420524112ae72e4da5
bca59d2b1019ddd7dbdc30b43d5f0461 bca59d2b1019ddd7dbdc30b43d5f0461
52ced40947d62d2c93e7b8e50f02db2b 52ced40947d62d2c93e7b8e50f02db2b
6b61b010e4c1566884de1fa9702cdf81 6b61b010e4c1566884de1fa9702cdf81
57e8aedfe3dd77c76bb50c25ae4d6246 57e8aedfe3dd77c76bb50c25ae4d6246
15c15acfdeeb5f79482aaa01d3e4c05e 15c15acfdeeb5f79482aaa01d3e4c05e
b601eca2bd10518e9d46b02116359232 b601eca2bd10518e9d46b02116359232
skipping to change at page 14, line 23 skipping to change at page 14, line 27
62e9729566ed66e97ac54a4a5a7ad5e1 62e9729566ed66e97ac54a4a5a7ad5e1
5ae5fdd5fd5ac5d56ae56ad5c572d54a 5ae5fdd5fd5ac5d56ae56ad5c572d54a
e54ac55a956afd6aed5a4ac562957a95 e54ac55a956afd6aed5a4ac562957a95
16991691d572fd14e97ae962ed7a9f4a 16991691d572fd14e97ae962ed7a9f4a
955af572e162f57a956666e17ae1f54a 955af572e162f57a956666e17ae1f54a
95f566d54a66e16e4afd6a9f7ae1c5c5 95f566d54a66e16e4afd6a9f7ae1c5c5
5ae5d56afde916c5e94a6ec56695e14a 5ae5d56afde916c5e94a6ec56695e14a
fde1148416e94ad57ac5146ed59d1cc5 fde1148416e94ad57ac5146ed59d1cc5
Associated Data: 8008315ebf2e6fe020e8f5eb Associated Data: 8008315ebf2e6fe020e8f5eb
The length of encrypted payload is larger than that of payload by 16 The encrypted RTP payload is longer than the RTP payload by exactly
octets that is the length of the tag from GCM. the GCM authentication tag length (16 octets).
A.2.1. SRTP_AEAD_ARIA_128_GCM A.2.1. SRTP_AEAD_ARIA_128_GCM
Key: e91e5e75da65554a48181f3846349562 Key: e91e5e75da65554a48181f3846349562
Encrypted RTP Payload: 4d8a9a0675550c704b17d8c9ddc81a5c Encrypted RTP Payload: 4d8a9a0675550c704b17d8c9ddc81a5c
d6f7da34f2fe1b3db7cb3dfb9697102e d6f7da34f2fe1b3db7cb3dfb9697102e
a0f3c1fc2dbc873d44bceeae8e444297 a0f3c1fc2dbc873d44bceeae8e444297
4ba21ff6789d3272613fb9631a7cf3f1 4ba21ff6789d3272613fb9631a7cf3f1
4bacbeb421633a90ffbe58c2fa6bdca5 4bacbeb421633a90ffbe58c2fa6bdca5
skipping to change at page 15, line 19 skipping to change at page 15, line 22
425b352d97d3f337b90b63d1b082adee 425b352d97d3f337b90b63d1b082adee
ea9d2d7391897d591b985e55fb50cb53 ea9d2d7391897d591b985e55fb50cb53
50cf7d38dc27dda127c078a149c8eb98 50cf7d38dc27dda127c078a149c8eb98
083d66363a46e3726af217d3a00275ad 083d66363a46e3726af217d3a00275ad
5bf772c7610ea4c23006878f0ee69a83 5bf772c7610ea4c23006878f0ee69a83
97703169a419303f40b72e4573714d19 97703169a419303f40b72e4573714d19
e2697df61e7c7252e5abc6bade876ac4 e2697df61e7c7252e5abc6bade876ac4
961bfac4d5e867afca351a48aed52822 961bfac4d5e867afca351a48aed52822
e210d6ced2cf430ff841472915e7ef48 e210d6ced2cf430ff841472915e7ef48
A.3. Key Derivation Test Vector A.3. Key Derivation Test Vectors
This section provides test vectors for the default key derivation This section provides test vectors for the default key derivation
function that uses ARIA in Counter Mode. In the following, we walk function that uses ARIA in Counter Mode. In the following, we walk
through the initial key derivation for the ARIA Counter Mode cipher through the initial key derivation for the ARIA Counter Mode cipher
that requires a 16/24/32 octet session encryption key according to that requires a session encryption key of 16/24/32 octets according
the session encryption key length and a 14 octet session salt, and an to the session encryption key length, a 14-octet session salt, and an
authentication function that requires a 94 octet session authentication function that requires a 94-octet session
authentication key. These values are called the cipher key, the authentication key. These values are called the cipher key, the
cipher salt, and the auth key in the following. The test vectors are cipher salt, and the auth key in the following. The test vectors are
generated in the same way with the test vectors of key derivation generated in the same way with the test vectors of key derivation
functions in [RFC3711] and [RFC6188] but with each invocation of AES functions in [RFC3711] and [RFC6188] but with each invocation of AES
replaced with an invocation of ARIA. replaced with an invocation of ARIA.
A.3.1. ARIA_128_CTR_PRF A.3.1. ARIA_128_CTR_PRF
The inputs to the key derivation function are the 16 octet master key The inputs to the key derivation function are the 16-octet master key
and the 14 octet master salt: and the 14-octet master salt:
master key: e1f97a0d3e018be0d64fa32c06de4139 master key: e1f97a0d3e018be0d64fa32c06de4139
master salt: 0ec675ad498afeebb6960b3aabe6 master salt: 0ec675ad498afeebb6960b3aabe6
index DIV kdr: 000000000000 index DIV kdr: 000000000000
label: 00 label: 00
master salt: 0ec675ad498afeebb6960b3aabe6 master salt: 0ec675ad498afeebb6960b3aabe6
----------------------------------------------- -----------------------------------------------
xor: 0ec675ad498afeebb6960b3aabe6 (x, PRF input) xor: 0ec675ad498afeebb6960b3aabe6 (x, PRF input)
x*2^16: 0ec675ad498afeebb6960b3aabe60000 (ARIA-CTR input) x*2^16: 0ec675ad498afeebb6960b3aabe60000 (ARIA-CTR input)
cipher key: dbd85a3c4d9219b3e81f7d942e299de4 (ARIA-CTR output) cipher key: dbd85a3c4d9219b3e81f7d942e299de4 (ARIA-CTR output)
ARIA-CTR protection profile requires a 14 octet cipher salt while ARIA-CTR protection profile requires a 14-octet cipher salt while
ARIA-GCM protection profile requires a 12 octet cipher salt. ARIA-GCM protection profile requires a 12-octet cipher salt.
index DIV kdr: 000000000000 index DIV kdr: 000000000000
label: 02 label: 02
master salt: 0ec675ad498afeebb6960b3aabe6 master salt: 0ec675ad498afeebb6960b3aabe6
---------------------------------------------- ----------------------------------------------
xor: 0ec675ad498afee9b6960b3aabe6 (x, PRF input) xor: 0ec675ad498afee9b6960b3aabe6 (x, PRF input)
x*2^16: 0ec675ad498afee9b6960b3aabe60000 (ARIA-CTR input) x*2^16: 0ec675ad498afee9b6960b3aabe60000 (ARIA-CTR input)
9700657f5f34161830d7d85f5dc8be7f (ARIA-CTR output) 9700657f5f34161830d7d85f5dc8be7f (ARIA-CTR output)
skipping to change at page 16, line 42 skipping to change at page 17, line 7
d021877bd3eaf92d581ed70ddc050e03 0ec675ad498afeeab6960b3aabe60000 d021877bd3eaf92d581ed70ddc050e03 0ec675ad498afeeab6960b3aabe60000
f11257032676f2a29f57b21abd3a1423 0ec675ad498afeeab6960b3aabe60001 f11257032676f2a29f57b21abd3a1423 0ec675ad498afeeab6960b3aabe60001
769749bdc5dd9ca5b43ca6b6c1f3a7de 0ec675ad498afeeab6960b3aabe60002 769749bdc5dd9ca5b43ca6b6c1f3a7de 0ec675ad498afeeab6960b3aabe60002
4047904bcf811f601cc03eaa5d7af6db 0ec675ad498afeeab6960b3aabe60003 4047904bcf811f601cc03eaa5d7af6db 0ec675ad498afeeab6960b3aabe60003
9f88efa2e51ca832fc2a15b126fa7be2 0ec675ad498afeeab6960b3aabe60004 9f88efa2e51ca832fc2a15b126fa7be2 0ec675ad498afeeab6960b3aabe60004
469af896acb1852c31d822c45799 0ec675ad498afeeab6960b3aabe60005 469af896acb1852c31d822c45799 0ec675ad498afeeab6960b3aabe60005
A.3.2. ARIA_256_CTR_PRF A.3.2. ARIA_256_CTR_PRF
The inputs to the key derivation function are the 32 octet master key The inputs to the key derivation function are the 32-octet master key
and the 14 octet master salt: and the 14-octet master salt:
master key: 0c5ffd37a11edc42c325287fc0604f2e master key: 0c5ffd37a11edc42c325287fc0604f2e
3e8cd5671a00fe3216aa5eb105783b54 3e8cd5671a00fe3216aa5eb105783b54
master salt: 0ec675ad498afeebb6960b3aabe6 master salt: 0ec675ad498afeebb6960b3aabe6
index DIV kdr: 000000000000 index DIV kdr: 000000000000
label: 00 label: 00
master salt: 0ec675ad498afeebb6960b3aabe6 master salt: 0ec675ad498afeebb6960b3aabe6
----------------------------------------------- -----------------------------------------------
xor: 0ec675ad498afeebb6960b3aabe6 (x, PRF input) xor: 0ec675ad498afeebb6960b3aabe6 (x, PRF input)
x*2^16: 0ec675ad498afeebb6960b3aabe60000 (ARIA-CTR input) x*2^16: 0ec675ad498afeebb6960b3aabe60000 (ARIA-CTR input)
cipher key: 0649a09d93755fe9c2b2efba1cce930a (ARIA-CTR 1st output) cipher key: 0649a09d93755fe9c2b2efba1cce930a (ARIA-CTR 1st output)
f2e76ce8b77e4b175950321aa94b0cf4 (ARIA-CTR 2nd output) f2e76ce8b77e4b175950321aa94b0cf4 (ARIA-CTR 2nd output)
ARIA-CTR protection profile requires a 14 octet cipher salt while ARIA-CTR protection profile requires a 14-octet cipher salt while
ARIA-GCM protection profile requires a 12 octet cipher salt. ARIA-GCM protection profile requires a 12-octet cipher salt.
index DIV kdr: 000000000000 index DIV kdr: 000000000000
label: 02 label: 02
master salt: 0ec675ad498afeebb6960b3aabe6 master salt: 0ec675ad498afeebb6960b3aabe6
---------------------------------------------- ----------------------------------------------
xor: 0ec675ad498afee9b6960b3aabe6 (x, PRF input) xor: 0ec675ad498afee9b6960b3aabe6 (x, PRF input)
x*2^16: 0ec675ad498afee9b6960b3aabe60000 (ARIA-CTR input) x*2^16: 0ec675ad498afee9b6960b3aabe60000 (ARIA-CTR input)
194abaa8553a8eba8a413a340fc80a3d (ARIA-CTR output) 194abaa8553a8eba8a413a340fc80a3d (ARIA-CTR output)
skipping to change at page 18, line 18 skipping to change at page 19, line 9
0bc460181d06e02b7a9e60f02ff10bfc 0ec675ad498afeeab6960b3aabe60001 0bc460181d06e02b7a9e60f02ff10bfc 0ec675ad498afeeab6960b3aabe60001
9ade3795cf78f3e0f2556d9d913470c4 0ec675ad498afeeab6960b3aabe60002 9ade3795cf78f3e0f2556d9d913470c4 0ec675ad498afeeab6960b3aabe60002
e82e45d254bfb8e2933851a3930ffe7d 0ec675ad498afeeab6960b3aabe60003 e82e45d254bfb8e2933851a3930ffe7d 0ec675ad498afeeab6960b3aabe60003
fca751c03ec1e77e35e28dac4f17d1a5 0ec675ad498afeeab6960b3aabe60004 fca751c03ec1e77e35e28dac4f17d1a5 0ec675ad498afeeab6960b3aabe60004
80bdac028766d3b1e8f5a41faa3c 0ec675ad498afeeab6960b3aabe60005 80bdac028766d3b1e8f5a41faa3c 0ec675ad498afeeab6960b3aabe60005
Authors' Addresses Authors' Addresses
Woo-Hwan Kim Woo-Hwan Kim
National Security Research Institute National Security Research Institute
P.O.Box 1, Yuseong P.O. Box 1, Yuseong
Daejeon 34188 Daejeon 34188
Korea Korea
EMail: whkim5@nsr.re.kr Email: whkim5@nsr.re.kr
Jungkeun Lee Jungkeun Lee
National Security Research Institute National Security Research Institute
P.O.Box 1, Yuseong P.O. Box 1, Yuseong
Daejeon 34188 Daejeon 34188
Korea Korea
EMail: jklee@nsr.re.kr Email: jklee@nsr.re.kr
Je-Hong Park Je-Hong Park
National Security Research Institute National Security Research Institute
P.O.Box 1, Yuseong P.O. Box 1, Yuseong
Daejeon 34188 Daejeon 34188
Korea Korea
EMail: jhpark@nsr.re.kr Email: jhpark@nsr.re.kr
Daesung Kwon Daesung Kwon
National Security Research Institute National Security Research Institute
P.O.Box 1, Yuseong P.O. Box 1, Yuseong
Daejeon 34188 Daejeon 34188
Korea Korea
EMail: ds_kwon@nsr.re.kr Email: ds_kwon@nsr.re.kr
Dong-Chan Kim Dong-Chan Kim
Kookmin University Kookmin University
77 Jeongneung-ro, Seongbuk-gu 77 Jeongneung-ro, Seongbuk-gu
Seoul 02707 Seoul 02707
Korea Korea
EMail: dckim@kookmin.ac.kr Email: dckim@kookmin.ac.kr
 End of changes. 82 change blocks. 
161 lines changed or deleted 180 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/