Network Working Group R. Pereira
Request for Comments: 2451 TimeStep Corporation
Category: Standards Track R. Adams
Cisco Systems Inc.
November 1998
Network Working Group R. Pereira
Request for Comments: 2451 TimeStep Corporation
Category: Standards Track R. Adams
Cisco Systems Inc.
November 1998
The ESP CBC-Mode Cipher Algorithms
ESP-CBC模式密码算法
Status of this Memo
本备忘录的状况
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (1998). All Rights Reserved.
版权所有(C)互联网协会(1998年)。版权所有。
Abstract
摘要
This document describes how to use CBC-mode cipher algorithms with the IPSec ESP (Encapsulating Security Payload) Protocol. It not only clearly states how to use certain cipher algorithms, but also how to use all CBC-mode cipher algorithms.
本文档介绍如何将CBC模式密码算法与IPSec ESP(封装安全有效负载)协议一起使用。它不仅清楚地说明了如何使用某些密码算法,而且还说明了如何使用所有CBC模式密码算法。
Table of Contents
目录
1. Introduction...................................................2
1.1 Specification of Requirements...............................2
1.2 Intellectual Property Rights Statement......................2
2. Cipher Algorithms..............................................2
2.1 Mode........................................................3
2.2 Key Size....................................................3
2.3 Weak Keys...................................................4
2.4 Block Size and Padding......................................5
2.5 Rounds......................................................6
2.6 Backgrounds.................................................6
2.7 Performance.................................................8
3. ESP Payload....................................................8
3.1 ESP Environmental Considerations............................9
3.2 Keying Material.............................................9
4. Security Considerations........................................9
5. References....................................................10
6. Acknowledgments...............................................11
7. Editors' Addresses............................................12
1. Introduction...................................................2
1.1 Specification of Requirements...............................2
1.2 Intellectual Property Rights Statement......................2
2. Cipher Algorithms..............................................2
2.1 Mode........................................................3
2.2 Key Size....................................................3
2.3 Weak Keys...................................................4
2.4 Block Size and Padding......................................5
2.5 Rounds......................................................6
2.6 Backgrounds.................................................6
2.7 Performance.................................................8
3. ESP Payload....................................................8
3.1 ESP Environmental Considerations............................9
3.2 Keying Material.............................................9
4. Security Considerations........................................9
5. References....................................................10
6. Acknowledgments...............................................11
7. Editors' Addresses............................................12
8. Full Copyright Statement......................................14
8. Full Copyright Statement......................................14
The Encapsulating Security Payload (ESP) [Kent98] provides confidentiality for IP datagrams by encrypting the payload data to be protected. This specification describes the ESP use of CBC-mode cipher algorithms.
封装安全有效载荷(ESP)[98]通过加密要保护的有效载荷数据为IP数据报提供机密性。本规范描述了CBC模式密码算法的ESP使用。
While this document does not describe the use of the default cipher algorithm DES, the reader should be familiar with that document. [Madson98]
虽然本文档没有描述默认密码算法DES的使用,但读者应该熟悉该文档。[Madson98]
It is assumed that the reader is familiar with the terms and concepts described in the "Security Architecture for the Internet Protocol" [Atkinson95], "IP Security Document Roadmap" [Thayer97], and "IP Encapsulating Security Payload (ESP)" [Kent98] documents.
假设读者熟悉“互联网协议的安全体系结构”[Atkinson95]、“IP安全文档路线图”[Thayer97]和“IP封装安全负载(ESP)”[Kent98]文档中描述的术语和概念。
Furthermore, this document is a companion to [Kent98] and MUST be read in its context.
此外,本文件是[Kent98]的配套文件,必须结合上下文阅读。
The keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT", and "MAY" that appear in this document are to be interpreted as described in [Bradner97].
本文件中出现的关键词“必须”、“不得”、“必需”、“应该”、“不应该”和“可能”应按照[Bradner97]中所述进行解释。
The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF Secretariat.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何努力来确定任何此类权利。有关IETF在标准跟踪和标准相关文件中权利的程序信息,请参见BCP-11。可从IETF秘书处获得可供发布的权利声明副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果。
All symmetric block cipher algorithms share common characteristics and variables. These include mode, key size, weak keys, block size, and rounds. All of which will be explained below.
所有对称分组密码算法都具有共同的特征和变量。这些包括模式、键大小、弱键、块大小和轮数。所有这些都将在下面解释。
While this document illustrates certain cipher algorithms such as Blowfish [Schneier93], CAST-128 [Adams97], 3DES, IDEA [Lai] [MOV], and RC5 [Baldwin96], any other block cipher algorithm may be used with ESP if all of the variables described within this document are clearly defined.
虽然本文件说明了某些密码算法,如Blowfish[Schneier93]、CAST-128[Adams97]、3DES、IDEA[Lai][MOV]和RC5[Baldwin96],但如果本文件中描述的所有变量均已明确定义,则任何其他分组密码算法均可用于ESP。
All symmetric block cipher algorithms described or insinuated within this document use Cipher Block Chaining (CBC) mode. This mode requires an Initialization Vector (IV) that is the same size as the block size. Use of a randomly generated IV prevents generation of identical ciphertext from packets which have identical data that spans the first block of the cipher algorithm's blocksize.
本文中描述或暗示的所有对称分组密码算法都使用密码分组链(CBC)模式。此模式需要与块大小相同大小的初始化向量(IV)。使用随机生成的IV可防止从具有跨越密码算法块大小的第一个块的相同数据的数据包生成相同的密文。
The IV is XOR'd with the first plaintext block, before it is encrypted. Then for successive blocks, the previous ciphertext block is XOR'd with the current plaintext, before it is encrypted.
IV在加密之前与第一个明文块进行异或运算。然后,对于连续的块,前一个密文块在加密之前与当前明文异或。
More information on CBC mode can be obtained in [Schneier95].
有关CBC模式的更多信息,请参见[Schneier95]。
Some cipher algorithms allow for variable sized keys, while others only allow a specific key size. The length of the key correlates with the strength of that algorithm, thus larger keys are always harder to break than shorter ones.
一些密码算法允许可变大小的密钥,而另一些密码算法只允许特定的密钥大小。密钥的长度与该算法的强度相关,因此较大的密钥总是比较短的密钥更难破解。
This document stipulates that all key sizes MUST be a multiple of 8 bits.
本文件规定,所有密钥大小必须是8位的倍数。
This document does specify the default key size for each cipher algorithm. This size was chosen by consulting experts on the algorithm and by balancing strength of the algorithm with performance.
本文档确实为每个密码算法指定了默认密钥大小。这个尺寸是由算法专家咨询并通过平衡算法的强度和性能来选择的。
+==============+==================+=================+==========+
| Algorithm | Key Sizes (bits) | Popular Sizes | Default |
+==============+==================+=================+==========+
| CAST-128 [1] | 40 to 128 | 40, 64, 80, 128 | 128 |
+--------------+------------------+-----------------+----------+
| RC5 | 40 to 2040 | 40, 128, 160 | 128 |
+--------------+------------------+-----------------+----------+
| IDEA | 128 | 128 | 128 |
+--------------+------------------+-----------------+----------+
| Blowfish | 40 to 448 | 128 | 128 |
+--------------+------------------+-----------------+----------+
| 3DES [2] | 192 | 192 | 192 |
+--------------+------------------+-----------------+----------+
+==============+==================+=================+==========+
| Algorithm | Key Sizes (bits) | Popular Sizes | Default |
+==============+==================+=================+==========+
| CAST-128 [1] | 40 to 128 | 40, 64, 80, 128 | 128 |
+--------------+------------------+-----------------+----------+
| RC5 | 40 to 2040 | 40, 128, 160 | 128 |
+--------------+------------------+-----------------+----------+
| IDEA | 128 | 128 | 128 |
+--------------+------------------+-----------------+----------+
| Blowfish | 40 to 448 | 128 | 128 |
+--------------+------------------+-----------------+----------+
| 3DES [2] | 192 | 192 | 192 |
+--------------+------------------+-----------------+----------+
Notes:
笔记:
[1] With CAST-128, keys less than 128 bits MUST be padded with zeros in the rightmost, or least significant, positions out to 128 bits since the CAST-128 key schedule assumes an input key of 128 bits. Thus if you had a key with a size of 80 bits '3B5D831CFE', it would be padded to produce a key with a size of 128 bits '3B5D831CFE000000'.
[1] 对于CAST-128,小于128位的密钥必须在最右边或最低有效位置用零填充到128位,因为CAST-128密钥计划假定输入密钥为128位。因此,如果您有一个大小为80位“3B5D831CFE”的密钥,则会对其进行填充以生成一个大小为128位“3B5D831CFE000000”的密钥。
[2] The first 3DES key is taken from the first 64 bits, the second from the next 64 bits, and the third from the last 64 bits. Implementations MUST take into consideration the parity bits when initially accepting a new set of keys. Each of the three keys is really 56 bits in length with the extra 8 bits used for parity.
[2] 第一个3DES密钥取自前64位,第二个取自下64位,第三个取自最后64位。在最初接受一组新密钥时,实现必须考虑奇偶校验位。这三个键的长度实际上都是56位,额外的8位用于奇偶校验。
The reader should note that the minimum key size for all of the above cipher algorithms is 40 bits, and that the authors strongly advise that implementations do NOT use key sizes smaller than 40 bits.
读者应该注意,上述所有密码算法的最小密钥大小都是40位,作者强烈建议实现中不要使用小于40位的密钥大小。
Weak key checks SHOULD be performed. If such a key is found, the key SHOULD be rejected and a new SA requested. Some cipher algorithms have weak keys or keys that MUST not be used due to their weak nature.
应执行弱密钥检查。如果找到此类密钥,则应拒绝该密钥并请求新的SA。某些密码算法具有弱密钥或由于其弱性质而不能使用的密钥。
New weak keys might be discovered, so this document does not in any way contain all possible weak keys for these ciphers. Please check with other sources of cryptography such as [MOV] and [Schneier] for further weak keys.
可能会发现新的弱密钥,因此本文档不会以任何方式包含这些密码的所有可能的弱密钥。请与[MOV]和[Schneier]等其他加密源联系,以了解更多的弱密钥。
CAST-128:
CAST-128:
No known weak keys.
没有已知的弱键。
RC5:
RC5:
No known weak keys when used with 16 rounds.
使用16轮时,没有已知的弱键。
IDEA:
想法:
IDEA has been found to have weak keys. Please check with [MOV] and [Schneier] for more information.
这个想法被发现有弱点。有关更多信息,请咨询[MOV]和[Schneier]。
Blowfish:
河豚:
Weak keys for Blowfish have been discovered. Weak keys are keys that produce the identical entries in a given S-box. Unfortunately, there is no way to test for weak keys before the S- box values are generated. However, the chances of randomly generating such a key are small.
河豚的弱点已经被发现。弱键是在给定S框中生成相同项的键。不幸的是,在生成S-box值之前,没有办法测试弱键。但是,随机生成这样一个密钥的机会很小。
3DES:
3DES:
DES has 64 known weak keys, including so-called semi-weak keys and possibly-weak keys [Schneier95, pp 280-282]. The likelihood of picking one at random is negligible.
DES有64个已知的弱密钥,包括所谓的半弱密钥和可能的弱密钥[Schneier95,pp 280-282]。随机挑选一个的可能性可以忽略不计。
For DES-EDE3, there is no known need to reject weak or complementation keys. Any weakness is obviated by the use of multiple keys.
对于DES-EDE3,不需要拒绝弱键或互补键。使用多个键可以消除任何弱点。
However, if the first two or last two independent 64-bit keys are equal (k1 == k2 or k2 == k3), then the 3DES operation is simply the same as DES. Implementers MUST reject keys that exhibit this property.
然而,如果前两个或最后两个独立的64位键相等(k1==k2或k2==k3),则3DES操作与DES完全相同。实现者必须拒绝显示此属性的键。
All of the algorithms described in this document use a block size of eight octets (64 bits).
本文档中描述的所有算法都使用8个八位字节(64位)的块大小。
Padding is used to align the payload type and pad length octets as specified in [Kent98]. Padding must be sufficient to align the data to be encrypted to an eight octet (64 bit) boundary.
填充用于对齐[98]中规定的有效负载类型和填充长度八位字节。填充必须足以将要加密的数据与八个八位字节(64位)的边界对齐。
This variable determines how many times a block is encrypted. While this variable MAY be negotiated, a default value MUST always exist when it is not negotiated.
此变量确定块加密的次数。虽然可以协商此变量,但未协商时必须始终存在默认值。
+====================+============+======================+
| Algorithm | Negotiable | Default Rounds |
+====================+============+======================+
| CAST-128 | No | key<=80 bits, 12 |
| | | key>80 bits, 16 |
+--------------------+------------+----------------------+
| RC5 | No | 16 |
+--------------------+------------+----------------------+
| IDEA | No | 8 |
+--------------------+------------+----------------------+
| Blowfish | No | 16 |
+--------------------+------------+----------------------+
| 3DES | No | 48 (16x3) |
+--------------------+------------+----------------------+
+====================+============+======================+
| Algorithm | Negotiable | Default Rounds |
+====================+============+======================+
| CAST-128 | No | key<=80 bits, 12 |
| | | key>80 bits, 16 |
+--------------------+------------+----------------------+
| RC5 | No | 16 |
+--------------------+------------+----------------------+
| IDEA | No | 8 |
+--------------------+------------+----------------------+
| Blowfish | No | 16 |
+--------------------+------------+----------------------+
| 3DES | No | 48 (16x3) |
+--------------------+------------+----------------------+
CAST-128:
CAST-128:
The CAST design procedure was originally developed by Carlisle Adams and Stafford Tavares at Queen's University, Kingston, Ontario, Canada. Subsequent enhancements have been made over the years by Carlisle Adams and Michael Wiener of Entrust Technologies. CAST-128 is the result of applying the CAST Design Procedure as outlined in [Adams97].
铸件设计程序最初由加拿大安大略省金斯顿皇后大学的卡莱尔·亚当斯和斯塔福德·塔瓦雷斯开发。多年来,委托技术公司的卡莱尔·亚当斯(Carlisle Adams)和迈克尔·维纳(Michael Wiener)进行了后续改进。CAST-128是应用[Adams97]中概述的铸造设计程序的结果。
RC5:
RC5:
The RC5 encryption algorithm was developed by Ron Rivest for RSA Data Security Inc. in order to address the need for a high- performance software and hardware ciphering alternative to DES. It is patented (pat.no. 5,724,428). A description of RC5 may be found in [MOV] and [Schneier].
RC5加密算法由Ron Rivest为RSA Data Security Inc.开发,以满足对DES高性能软件和硬件加密替代方案的需求。它已获得专利(专利号5724428)。RC5的说明可在[MOV]和[Schneier]中找到。
IDEA:
想法:
Xuejia Lai and James Massey developed the IDEA (International Data Encryption Algorithm) algorithm. The algorithm is described in detail in [Lai], [Schneier] and [MOV].
赖学佳和詹姆斯·梅西开发了IDEA(国际数据加密算法)算法。该算法在[Lai]、[Schneier]和[MOV]中有详细描述。
The IDEA algorithm is patented in Europe and in the United States with patent application pending in Japan. Licenses are required for commercial uses of IDEA.
IDEA算法在欧洲和美国获得专利,在日本申请专利。IDEA的商业用途需要许可证。
For patent and licensing information, contact:
有关专利和许可信息,请联系:
Ascom Systec AG, Dept. CMVV
Gewerbepark, CH-5506
Magenwil, Switzerland
Phone: +41 64 56 59 83
Fax: +41 64 56 59 90
idea@ascom.ch
http://www.ascom.ch/Web/systec/policy/normal/exhibit1.html
Ascom Systec AG, Dept. CMVV
Gewerbepark, CH-5506
Magenwil, Switzerland
Phone: +41 64 56 59 83
Fax: +41 64 56 59 90
idea@ascom.ch
http://www.ascom.ch/Web/systec/policy/normal/exhibit1.html
Blowfish:
河豚:
Bruce Schneier of Counterpane Systems developed the Blowfish block cipher algorithm. The algorithm is described in detail in [Schneier93], [Schneier95] and [Schneier].
Counterpane Systems的Bruce Schneier开发了Blowfish分组密码算法。该算法在[Schneier93]、[Schneier95]和[Schneier]中有详细描述。
3DES:
3DES:
This DES variant, colloquially known as "Triple DES" or as DES-EDE3, processes each block three times, each time with a different key. This technique of using more than one DES operation was proposed in [Tuchman79].
这种DES变体,通俗地称为“三重DES”或DES-EDE3,处理每个块三次,每次使用不同的键。[Tuchman79]中提出了使用多个DES操作的技术。
P1 P2 Pi
| | |
IV->->(X) +>->->->(X) +>->->->(X)
v ^ v ^ v
+-----+ ^ +-----+ ^ +-----+
k1->| E | ^ k1->| E | ^ k1->| E |
+-----+ ^ +-----+ ^ +-----+
| ^ | ^ |
v ^ v ^ v
+-----+ ^ +-----+ ^ +-----+
k2->| D | ^ k2->| D | ^ k2->| D |
+-----+ ^ +-----+ ^ +-----+
| ^ | ^ |
v ^ v ^ v
+-----+ ^ +-----+ ^ +-----+
k3->| E | ^ k3->| E | ^ k3->| E |
+-----+ ^ +-----+ ^ +-----+
| ^ | ^ |
+>->->+ +>->->+ +>->->
| | |
C1 C2 Ci
P1 P2 Pi
| | |
IV->->(X) +>->->->(X) +>->->->(X)
v ^ v ^ v
+-----+ ^ +-----+ ^ +-----+
k1->| E | ^ k1->| E | ^ k1->| E |
+-----+ ^ +-----+ ^ +-----+
| ^ | ^ |
v ^ v ^ v
+-----+ ^ +-----+ ^ +-----+
k2->| D | ^ k2->| D | ^ k2->| D |
+-----+ ^ +-----+ ^ +-----+
| ^ | ^ |
v ^ v ^ v
+-----+ ^ +-----+ ^ +-----+
k3->| E | ^ k3->| E | ^ k3->| E |
+-----+ ^ +-----+ ^ +-----+
| ^ | ^ |
+>->->+ +>->->+ +>->->
| | |
C1 C2 Ci
The DES-EDE3-CBC algorithm is a simple variant of the DES-CBC algorithm [FIPS-46]. The "outer" chaining technique is used.
DES-EDE3-CBC算法是DES-CBC算法的简单变体[FIPS-46]。使用“外部”链接技术。
In DES-EDE3-CBC, an Initialization Vector (IV) is XOR'd with the first 64-bit (8 byte) plaintext block (P1). The keyed DES function is iterated three times, an encryption (Ek1) followed by a decryption (Dk2) followed by an encryption (Ek3), and generates the ciphertext (C1) for the block. Each iteration uses an independent key: k1, k2 and k3.
在DES-EDE3-CBC中,初始化向量(IV)与第一个64位(8字节)明文块(P1)异或。密钥DES函数迭代三次,先加密(Ek1),然后解密(Dk2),再加密(Ek3),并生成块的密文(C1)。每次迭代都使用一个独立的键:k1、k2和k3。
For successive blocks, the previous ciphertext block is XOR'd with the current plaintext (Pi). The keyed DES-EDE3 encryption function generates the ciphertext (Ci) for that block.
对于连续块,前一个密文块与当前明文(Pi)异或。密钥DES-EDE3加密函数为该块生成密文(Ci)。
To decrypt, the order of the functions is reversed: decrypt with k3, encrypt with k2, decrypt with k1, and XOR the previous ciphertext block.
要解密,函数的顺序是相反的:用k3解密,用k2加密,用k1解密,对上一个密文块进行异或。
Note that when all three keys (k1, k2 and k3) are the same, DES-EDE3-CBC is equivalent to DES-CBC. This property allows the DES-EDE3 hardware implementations to operate in DES mode without modification.
请注意,当所有三个键(k1、k2和k3)相同时,DES-EDE3-CBC等同于DES-CBC。此属性允许DES-EDE3硬件实现在DES模式下运行,无需修改。
For more explanation and implementation information for Triple DES, see [Schneier95].
有关三重DES的更多解释和实现信息,请参阅[Schneier95]。
For a comparison table of the estimated speed of any of these and other cipher algorithms, please see [Schneier97] or for an up-to-date performance comparison, please see [Bosseleaers].
有关这些密码算法和其他密码算法估计速度的比较表,请参阅[Schneier97],或有关最新性能比较,请参阅[Bosseleaers]。
The ESP payload is made up of the IV followed by raw cipher-text. Thus the payload field, as defined in [Kent98], is broken down according to the following diagram:
ESP有效载荷由IV和原始密码文本组成。因此,根据下图对[98]中定义的有效载荷字段进行分解:
+---------------+---------------+---------------+---------------+
| |
+ Initialization Vector (8 octets) +
| |
+---------------+---------------+---------------+---------------+
| |
~ Encrypted Payload (variable length) ~
| |
+---------------------------------------------------------------+
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
+---------------+---------------+---------------+---------------+
| |
+ Initialization Vector (8 octets) +
| |
+---------------+---------------+---------------+---------------+
| |
~ Encrypted Payload (variable length) ~
| |
+---------------------------------------------------------------+
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
The IV field MUST be same size as the block size of the cipher algorithm being used. The IV MUST be chosen at random. Common practice is to use random data for the first IV and the last block of encrypted data from an encryption process as the IV for the next encryption process.
IV字段的大小必须与正在使用的密码算法的块大小相同。静脉注射必须随机选择。通常的做法是将加密过程中的第一个IV和最后一个加密数据块的随机数据用作下一个加密过程的IV。
Including the IV in each datagram ensures that decryption of each received datagram can be performed, even when some datagrams are dropped, or datagrams are re-ordered in transit.
在每个数据报中包括IV确保可以对每个接收到的数据报进行解密,即使某些数据报被丢弃,或者数据报在传输过程中被重新排序。
To avoid ECB encryption of very similar plaintext blocks in different packets, implementations MUST NOT use a counter or other low-Hamming distance source for IVs.
为了避免对不同数据包中非常相似的明文块进行ECB加密,实现时不得为IVs使用计数器或其他低汉明距离源。
Currently, there are no known issues regarding interactions between these algorithms and other aspects of ESP, such as use of certain authentication schemes.
目前,关于这些算法与ESP的其他方面(如某些认证方案的使用)之间的交互,还没有已知的问题。
The minimum number of bits sent from the key exchange protocol to this ESP algorithm must be greater or equal to the key size.
从密钥交换协议发送到此ESP算法的最小位数必须大于或等于密钥大小。
The cipher's encryption and decryption key is taken from the first <x> bits of the keying material, where <x> represents the required key size.
密码的加密和解密密钥取自密钥材料的第一个<x>位,其中<x>表示所需的密钥大小。
Implementations are encouraged to use the largest key sizes they can when taking into account performance considerations for their particular hardware and software configuration. Note that encryption necessarily impacts both sides of a secure channel, so such consideration must take into account not only the client side, but the server as well.
在考虑特定硬件和软件配置的性能考虑因素时,鼓励实现使用最大的密钥大小。请注意,加密必然会影响安全通道的两侧,因此这种考虑不仅要考虑客户端,还要考虑服务器。
For information on the case for using random values please see [Bell97].
有关使用随机值情况的信息,请参见[Bell97]。
For further security considerations, the reader is encouraged to read the documents that describe the actual cipher algorithms.
出于进一步的安全考虑,鼓励读者阅读描述实际密码算法的文档。
[Adams97] Adams, C, "The CAST-128 Encryption Algorithm", RFC2144, 1997.
[Adams97]Adams,C,“CAST-128加密算法”,RFC2144,1997年。
[Atkinson98]Kent, S. and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401, November 1998.
[Atkinson 98]Kent,S.和R.Atkinson,“互联网协议的安全架构”,RFC 2401,1998年11月。
[Baldwin96] Baldwin, R. and R. Rivest, "The RC5, RC5-CBC, RC5-CBC-Pad, and RC5-CTS Algorithms", RFC 2040, October 1996.
[Baldwin96]Baldwin,R.和R.Rivest,“RC5、RC5-CBC、RC5-CBC Pad和RC5-CTS算法”,RFC 2040,1996年10月。
[Bell97] S. Bellovin, "Probable Plaintext Cryptanalysis of the IP Security Protocols", Proceedings of the Symposium on Network and Distributed System Security, San Diego, CA, pp. 155-160, February 1997 (also http://www.research.att.com/~smb/probtxt.{ps, pdf}).
[Bell97]S.Bellovin,“IP安全协议的可能明文密码分析”,网络和分布式系统安全研讨会论文集,加利福尼亚州圣地亚哥,第155-160页,1997年2月(另附http://www.research.att.com/~smb/probtxt.{ps,pdf})。
[Bosselaers]A. Bosselaers, "Performance of Pentium implementations",
http://www.esat.kuleuven.ac.be/~bosselae/
[Bosselaers]A. Bosselaers, "Performance of Pentium implementations",
http://www.esat.kuleuven.ac.be/~bosselae/
[Bradner97] Bradner, S., "Key words for use in RFCs to indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[Bradner97]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[Crypto93] J. Daemen, R. Govaerts, J. Vandewalle, "Weak Keys for IDEA", Advances in Cryptology, CRYPTO 93 Proceedings, Springer-Verlag, pp. 224-230.
[Crypto93]J.Daemen,R.Govaerts,J.Vandewalle,“思想的弱密钥”,密码学进展,Crypto93会议录,Springer Verlag,第224-230页。
[FIPS-46] US National Bureau of Standards, "Data Encryption Standard", Federal Information Processing Standard (FIPS) Publication 46, January 1977.
[FIPS-46]美国国家标准局,“数据加密标准”,联邦信息处理标准(FIPS)出版物46,1977年1月。
[Kent98] Kent, S. and R. Atkinson, "IP Encapsulating Security Payload (ESP)", RFC 2406, November 1998.
[Kent98]Kent,S.和R.Atkinson,“IP封装安全有效载荷(ESP)”,RFC 2406,1998年11月。
[Lai] X. Lai, "On the Design and Security of Block Ciphers", ETH Series in Information Processing, v. 1, Konstanz: Hartung-Gorre Verlag, 1992.
[Lai]X.Lai,“关于分组密码的设计和安全”,信息处理ETH系列,v。康斯坦茨:哈东·高尔·韦拉格,1992年。
[Madson98] Madson, C. and N. Dorswamy, "The ESP DES-CBC Cipher Algorithm With Explicit IV", RFC 2405, November 1998.
[Madson98]Madson,C.和N.Dorswamy,“带显式IV的ESP DES-CBC密码算法”,RFC 2405,1998年11月。
[MOV] A. Menezes, P. Van Oorschot, S. Vanstone, "Handbook of Applied Cryptography", CRC Press, 1997. ISBN 0-8493- 8523-7
[MOV]A.Menezes,P.Van Oorschot,S.Vanstone,“应用密码学手册”,CRC出版社,1997年。ISBN 0-8493-8523-7
[Schneier] B. Schneier, "Applied Cryptography Second Edition", John Wiley & Sons, New York, NY, 1995. ISBN 0-471-12845-7
[Schneier]B.Schneier,“应用密码学第二版”,John Wiley&Sons,纽约,纽约,1995年。ISBN 0-471-12845-7
[Schneier93]B. Schneier, "Description of a New Variable-Length Key, 64-Bit Block Cipher", from "Fast Software Encryption, Cambridge Security Workshop Proceedings", Springer-Verlag, 1994, pp. 191-204. http://www.counterpane.com/bfsverlag.html
[Schneier93]B.Schneier,“新变长密钥64位分组密码的描述”,摘自“快速软件加密,剑桥安全研讨会论文集”,Springer Verlag,1994年,第191-204页。http://www.counterpane.com/bfsverlag.html
[Schneier95]B. Schneier, "The Blowfish Encryption Algorithm - One
Year Later", Dr. Dobb's Journal, September 1995,
http://www.counterpane.com/bfdobsoyl.html
[Schneier95]B. Schneier, "The Blowfish Encryption Algorithm - One
Year Later", Dr. Dobb's Journal, September 1995,
http://www.counterpane.com/bfdobsoyl.html
[Schneier97]B. Scheier, "Speed Comparisons of Block Ciphers on a Pentium." February 1997, http://www.counterpane.com/speed.html
[Schneier97]B.Scheier,“奔腾上分组密码的速度比较”,1997年2月,http://www.counterpane.com/speed.html
[Thayer97] Thayer, R., Doraswamy, N. and R. Glenn, "IP Security Document Roadmap", RFC 2411, November 1998.
[Thayer97]Thayer,R.,Doraswamy,N.和R.Glenn,“IP安全文档路线图”,RFC 24111998年11月。
[Tuchman79] Tuchman, W, "Hellman Presents No Shortcut Solutions to DES", IEEE Spectrum, v. 16 n. 7, July 1979, pp. 40-41.
[Tuchman 79]Tuchman,W,“Hellman对DES没有捷径解决方案”,IEEE Spectrum,v。16 n。1979年7月7日,第40-41页。
This document is a merger of most of the ESP cipher algorithm documents. This merger was done to facilitate greater understanding of the commonality of all of the ESP algorithms and to further the development of these algorithm within ESP.
本文档是大多数ESP密码算法文档的合并。此次合并旨在促进对所有ESP算法共性的更深入理解,并进一步推动ESP中这些算法的发展。
The content of this document is based on suggestions originally from Stephen Kent and subsequent discussions from the IPSec mailing list as well as other IPSec documents.
本文档的内容基于Stephen Kent最初提出的建议以及IPSec邮件列表以及其他IPSec文档中的后续讨论。
Special thanks to Carlisle Adams and Paul Van Oorschot both of Entrust Technologies who provided input and review of CAST.
特别感谢Trust Technologies的卡莱尔·亚当斯(Carlisle Adams)和保罗·范·奥尔肖特(Paul Van Oorschot),他们为CAST提供了意见和评论。
Thanks to all of the editors of the previous ESP 3DES documents; W. Simpson, N. Doraswamy, P. Metzger, and P. Karn.
感谢以前ESP 3DES文档的所有编辑;辛普森、多拉斯瓦米、梅茨格和卡恩。
Thanks to Brett Howard from TimeStep for his original work of ESP-RC5.
感谢TimeStep的Brett Howard对ESP-RC5的原创工作。
Thanks to Markku-Juhani Saarinen, Helger Lipmaa and Bart Preneel for their input on IDEA and other ciphers.
感谢Markku Juhani Saarinen、Helger Lipmaa和Bart Preneel对IDEA和其他密码的投入。
Roy Pereira TimeStep Corporation
罗伊·佩雷拉时代步公司
Phone: +1 (613) 599-3610 x 4808
EMail: rpereira@timestep.com
Phone: +1 (613) 599-3610 x 4808
EMail: rpereira@timestep.com
Rob Adams Cisco Systems Inc.
罗布·亚当斯思科系统公司。
Phone: +1 (408) 457-5397
EMail: adams@cisco.com
Phone: +1 (408) 457-5397
EMail: adams@cisco.com
Contributors:
贡献者:
Robert W. Baldwin RSA Data Security, Inc.
Robert W.Baldwin RSA数据安全公司。
Phone: +1 (415) 595-8782
EMail: baldwin@rsa.com or baldwin@lcs.mit.edu
Phone: +1 (415) 595-8782
EMail: baldwin@rsa.com or baldwin@lcs.mit.edu
Greg Carter Entrust Technologies
格雷格·卡特技术公司
Phone: +1 (613) 763-1358
EMail: carterg@entrust.com
Phone: +1 (613) 763-1358
EMail: carterg@entrust.com
Rodney Thayer Sable Technology Corporation
罗德尼·塞耶科技公司
Phone: +1 (617) 332-7292
EMail: rodney@sabletech.com
Phone: +1 (617) 332-7292
EMail: rodney@sabletech.com
The IPSec working group can be contacted via the IPSec working group's mailing list (ipsec@tis.com) or through its chairs:
可以通过IPSec工作组的邮件列表联系IPSec工作组(ipsec@tis.com)或者通过它的椅子:
Robert Moskowitz International Computer Security Association
罗伯特·莫斯科维茨国际计算机安全协会
EMail: rgm@icsa.net
EMail: rgm@icsa.net
Theodore Y. Ts'o Massachusetts Institute of Technology
西奥多·Y·曹麻省理工学院
EMail: tytso@MIT.EDU
EMail: tytso@MIT.EDU
Copyright (C) The Internet Society (1998). All Rights Reserved.
版权所有(C)互联网协会(1998年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。