Internet Engineering Task Force (IETF)                         G. Hudson
Request for Comments: 6803                       MIT Kerberos Consortium
Category: Informational                                    November 2012
ISSN: 2070-1721
        
Internet Engineering Task Force (IETF)                         G. Hudson
Request for Comments: 6803                       MIT Kerberos Consortium
Category: Informational                                    November 2012
ISSN: 2070-1721
        

Camellia Encryption for Kerberos 5

Kerberos 5的Camellia加密

Abstract

摘要

This document specifies two encryption types and two corresponding checksum types for the Kerberos cryptosystem framework defined in RFC 3961. The new types use the Camellia block cipher in CBC mode with ciphertext stealing and the CMAC algorithm for integrity protection.

本文档为RFC 3961中定义的Kerberos密码系统框架指定了两种加密类型和两种相应的校验和类型。新类型在CBC模式下使用带密文窃取的Camellia分组密码,并使用CMAC算法进行完整性保护。

Status of This Memo

关于下段备忘

This document is not an Internet Standards Track specification; it is published for informational purposes.

本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6803.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6803.

Copyright Notice

版权公告

Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2012 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

1. Introduction
1. 介绍

The Camellia block cipher, described in [RFC3713], has a 128-bit block size and a 128-bit, 192-bit, or 256-bit key size, similar to AES. This document specifies Kerberos encryption and checksum types for Camellia using 128-bit or 256-bit keys. The new types conform to the framework specified in [RFC3961] but do not use the simplified profile.

[RFC3713]中描述的Camellia分组密码具有128位的块大小和128位、192位或256位的密钥大小,类似于AES。本文档使用128位或256位密钥为Camellia指定Kerberos加密和校验和类型。新类型符合[RFC3961]中指定的框架,但不使用简化配置文件。

Like the simplified profile, the new types use key derivation to produce keys for encryption, integrity protection, and checksum operations. Instead of the key derivation function described in [RFC3961], Section 5.1, the new types use a key derivation function from the family specified in [SP800-108].

与简化的配置文件一样,新类型使用密钥派生来生成用于加密、完整性保护和校验和操作的密钥。新类型不使用[RFC3961]第5.1节中所述的密钥派生函数,而是使用[SP800-108]中指定的系列中的密钥派生函数。

The new types use the CMAC algorithm for integrity protection and checksum operations. As a consequence, they do not rely on a hash algorithm except when generating keys from strings.

新类型使用CMAC算法进行完整性保护和校验和操作。因此,除非从字符串生成密钥,否则它们不依赖哈希算法。

Like the AES encryption types [RFC3962], the new encryption types use CBC mode with ciphertext stealing [RFC3962] to avoid the need for padding. They also use the same PBKDF2 algorithm for key generation from strings, with a modification to the salt string to ensure that different keys are generated for Camellia and AES encryption types.

与AES加密类型[RFC3962]一样,新的加密类型使用CBC模式和密文窃取[RFC3962]来避免填充。他们还使用相同的PBKDF2算法从字符串生成密钥,并对salt字符串进行了修改,以确保为Camellia和AES加密类型生成不同的密钥。

2. Protocol Key Representation
2. 协议密钥表示

The Camellia key space is dense, so we use random octet strings directly as keys. The first bit of the Camellia bit string is the high bit of the first byte of the random octet string.

Camellia密钥空间是稠密的,因此我们直接使用随机八位组字符串作为密钥。Camellia位字符串的第一位是随机八位组字符串的第一个字节的高位。

3. Key Derivation
3. 密钥派生

We use a key derivation function from the family specified in [SP800-108], Section 5.2, "KDF in Feedback Mode". The PRF parameter of the key derivation function is CMAC with Camellia-128 or Camellia-256 as the underlying block cipher; this PRF has an output size of 128 bits. A block counter is used with a length of 4 bytes, represented in big-endian order. The length of the output key in bits (denoted as k) is also represented as a 4-byte string in big-endian order. The label input to the KDF is the usage constant supplied to the key derivation function, and the context is unused. In the following summary, | indicates concatenation. The random-to-key function is the identity function, as defined in Section 6. The k-truncate function is defined in [RFC3961], Section 5.1.

我们使用[SP800-108]第5.2节“反馈模式下的KDF”中规定的系列的密钥派生函数。密钥导出函数的PRF参数为CMAC,以Camellia-128或Camellia-256作为底层分组密码;该PRF的输出大小为128位。块计数器的长度为4字节,以大端顺序表示。以位(表示为k)为单位的输出键的长度也表示为一个以大端顺序表示的4字节字符串。KDF的标签输入是提供给键派生函数的用法常量,上下文是未使用的。在以下摘要中,|表示串联。随机键功能是第6节中定义的标识功能。[RFC3961]第5.1节定义了k-截断函数。

   n = ceiling(k / 128)
   K(0) = zeros
   K(i) = CMAC(key, K(i-1) | i | constant | 0x00 | k)
   DR(key, constant) = k-truncate(K(1) | K(2) | ... | K(n))
   KDF-FEEDBACK-CMAC(key, constant) = random-to-key(DR(key, constant))
        
   n = ceiling(k / 128)
   K(0) = zeros
   K(i) = CMAC(key, K(i-1) | i | constant | 0x00 | k)
   DR(key, constant) = k-truncate(K(1) | K(2) | ... | K(n))
   KDF-FEEDBACK-CMAC(key, constant) = random-to-key(DR(key, constant))
        

The constants used for key derivation are the same as those used in the simplified profile.

用于密钥派生的常量与简化配置文件中使用的常量相同。

4. Key Generation from Strings
4. 从字符串生成密钥

We use a variation on the key generation algorithm specified in [RFC3962], Section 4.

我们使用[RFC3962]第4节中规定的密钥生成算法的变体。

First, to ensure that different long-term keys are used with Camellia and AES, we prepend the enctype name to the salt string, separated by a null byte. The enctype name is "camellia128-cts-cmac" or "camellia256-cts-cmac" (without the quotes).

首先,为了确保Camellia和AES使用不同的长期密钥,我们在salt字符串前面加上enctype名称,用空字节分隔。enctype名称为“Camellia 128 cts cmac”或“Camellia 256 cts cmac”(不带引号)。

Second, the final key derivation step uses the algorithm described in Section 3 instead of the key derivation algorithm used by the simplified profile.

其次,最后的密钥推导步骤使用第3节中描述的算法,而不是简化配置文件使用的密钥推导算法。

Third, if no string-to-key parameters are specified, the default number of iterations is raised to 32768.

第三,如果没有指定字符串到键的参数,则默认迭代次数将提高到32768。

   saltp = enctype-name | 0x00 | salt
   tkey = random-to-key(PBKDF2-HMAC-SHA1(passphrase, saltp,
                                         iter_count, keylength))
   key = KDF-FEEDBACK-CMAC(tkey, "kerberos")
        
   saltp = enctype-name | 0x00 | salt
   tkey = random-to-key(PBKDF2-HMAC-SHA1(passphrase, saltp,
                                         iter_count, keylength))
   key = KDF-FEEDBACK-CMAC(tkey, "kerberos")
        
5. CMAC Checksum Algorithm
5. CMAC校验和算法

For integrity protection and checksums, we use the CMAC function defined in [SP800-38B], with Camellia-128 or Camellia-256 as the underlying block cipher. The output length (Tlen) is 128 bits for both key sizes.

对于完整性保护和校验和,我们使用[SP800-38B]中定义的CMAC函数,使用Camellia-128或Camellia-256作为底层分组密码。两种密钥大小的输出长度(Tlen)均为128位。

6. Encryption Algorithm Parameters
6. 加密算法参数

The following parameters, required by [RFC3961], Section 3, apply to the encryption types camellia128-cts-cmac, which uses a 128-bit protocol key, and camellia256-cts-cmac, which uses a 256-bit protocol key.

[RFC3961]第3节要求的以下参数适用于加密类型camellia128 cts cmac(使用128位协议密钥)和camellia256 cts cmac(使用256位协议密钥)。

Protocol key format: as defined in Section 2.

协议密钥格式:如第2节所定义。

Specific key structure: three protocol format keys: { Kc, Ke, Ki }.

特定密钥结构:三个协议格式密钥:{Kc,Ke,Ki}。

Required checksum mechanism: as defined in Section 7.

所需校验和机制:如第7节所定义。

Key generation seed length: the key size (128 or 256 bits).

密钥生成种子长度:密钥大小(128或256位)。

String-to-key function: as defined in Section 4.

字符串到键函数:如第4节所定义。

Random-to-key function: identity function.

随机键函数:标识函数。

Key-derivation function: as indicated below, with usage represented as 4 octets in big-endian order.

键派生函数:如下所示,用法表示为大端顺序的4个八位字节。

String-to-key parameter format: 4 octets indicating a 32-bit iteration count in big-endian order. Implementations may limit the count as specified in [RFC3962], Section 4.

字符串到键参数格式:4个八位字节,表示以大端顺序进行的32位迭代计数。实施可能会限制[RFC3962]第4节中规定的计数。

Default string-to-key parameters: 00 00 80 00.

键参数的默认字符串:00 80 00。

   Kc = KDF-FEEDBACK-CMAC(base-key, usage | 0x99)
   Ke = KDF-FEEDBACK-CMAC(base-key, usage | 0xAA)
   Ki = KDF-FEEDBACK-CMAC(base-key, usage | 0x55)
        
   Kc = KDF-FEEDBACK-CMAC(base-key, usage | 0x99)
   Ke = KDF-FEEDBACK-CMAC(base-key, usage | 0xAA)
   Ki = KDF-FEEDBACK-CMAC(base-key, usage | 0x55)
        

Cipher state: a 128-bit CBC initialization vector.

密码状态:128位CBC初始化向量。

Initial cipher state: all bits zero.

初始密码状态:所有位为零。

Encryption function: as follows, where E() is Camellia encryption in CBC-CTS mode, with the next-to-last block used as the CBC-style ivec, or the last block if there is only one.

加密函数:如下所示,其中E()是CBC-CTS模式下的Camellia加密,最后一个块用作CBC样式的ivec,如果只有一个块,则使用最后一个块。

   conf = Random string of 128 bits
   (C, newstate) = E(Ke, conf | plaintext, oldstate)
   M = CMAC(Ki, conf | plaintext)
   ciphertext = C | M
        
   conf = Random string of 128 bits
   (C, newstate) = E(Ke, conf | plaintext, oldstate)
   M = CMAC(Ki, conf | plaintext)
   ciphertext = C | M
        

Decryption function: as follows, where D() is Camellia decryption in CBC-CTS mode, with the ivec treated as in E(). To separate the ciphertext into C and M components, use the final 16 bytes for M and all of the preceding bytes for C.

解密函数:如下所示,其中D()是CBC-CTS模式下的茶花解密,ivec被视为E()。要将密文分为C和M两个部分,请使用最后16个字节表示M,前面所有字节表示C。

   (C, M) = ciphertext
   (P, newIV) = D(Ke, C, oldstate)
   if (M != CMAC(Ki, P)) report error
   newstate = newIV
        
   (C, M) = ciphertext
   (P, newIV) = D(Ke, C, oldstate)
   if (M != CMAC(Ki, P)) report error
   newstate = newIV
        

Pseudo-random function: as follows.

伪随机函数:如下所示。

   Kp = KDF-FEEDBACK-CMAC(protocol-key, "prf")
   PRF = CMAC(Kp, octet-string)
        
   Kp = KDF-FEEDBACK-CMAC(protocol-key, "prf")
   PRF = CMAC(Kp, octet-string)
        
7. Checksum Parameters
7. 校验和参数

The following parameters, required by [RFC3961], Section 4, apply to the checksum types cmac-camellia128 and cmac-camellia256, which are the associated checksum for camellia128-cts-cmac and camellia256-cts-cmac, respectively.

[RFC3961]第4节要求的以下参数适用于校验和类型cmac-camellia128和cmac-camellia256,它们分别是camellia128 cts cmac和camellia256 cts cmac的相关校验和。

Associated cryptosystem: Camellia-128 or Camellia-256 as appropriate for the checksum type.

相关密码系统:Camellia-128或Camellia-256,适用于校验和类型。

get_mic: CMAC(Kc, message).

获取麦克风:CMAC(Kc,消息)。

verify_mic: get_mic and compare.

验证麦克风:获取麦克风并进行比较。

8. Security Considerations
8. 安全考虑

Chapter 4 of [CRYPTOENG] discusses weaknesses of the CBC cipher mode. An attacker who can observe enough messages generated with the same key to encounter a collision in ciphertext blocks could recover the XOR of the plaintexts of the previous blocks. Observing such a collision becomes likely as the number of blocks observed approaches 2^64. This consideration applies to all previously standardized Kerberos encryption types and all uses of CBC encryption with 128-bit block ciphers in other protocols. Kerberos deployments can mitigate this concern by rolling over keys often enough to make observing 2^64 messages unlikely.

[CRYPTOENG]的第4章讨论了CBC密码模式的弱点。如果攻击者能够观察到使用相同密钥生成的足够多的消息,从而在密文块中遇到冲突,则可以恢复先前块的明文的异或。当观察到的块数接近2^64时,就有可能观察到这种碰撞。这一考虑适用于所有以前标准化的Kerberos加密类型以及在其他协议中使用128位块密码的CBC加密。Kerberos部署可以通过频繁地滚动密钥来缓解此问题,从而使观察2^64消息变得不太可能。

Because the new checksum types are deterministic, an attacker could pre-compute checksums for a known plain-text message in 2^64 randomly chosen protocol keys. The attacker could then observe checksums legitimately computed in different keys until a collision with one of the pre-computed keys is observed; this becomes likely after the number of observed checksums approaches 2^64. Observing such a collision allows the attacker to recover the protocol key. This consideration applies to most previously standardized Kerberos checksum types and most uses of 128-bit checksums in other protocols.

由于新的校验和类型是确定性的,攻击者可以在2^64个随机选择的协议密钥中预先计算已知纯文本消息的校验和。然后,攻击者可以观察在不同密钥中合法计算的校验和,直到观察到与其中一个预先计算的密钥发生冲突;在观察到的校验和数接近2^64后,这很可能发生。观察这种冲突可使攻击者恢复协议密钥。这一考虑适用于大多数以前标准化的Kerberos校验和类型以及其他协议中128位校验和的大多数使用。

Kerberos deployments should not migrate to the Camellia encryption types simply because they are newer, but should use them only if business needs require the use of Camellia, or if a serious flaw is discovered in AES which does not apply to Camellia.

Kerberos部署不应仅仅因为较新而迁移到Camellia加密类型,而应仅在业务需要需要使用Camellia,或者在AES中发现不适用于Camellia的严重缺陷时使用它们。

The security considerations described in [RFC3962], Section 8, regarding the string-to-key algorithm also apply to the Camellia encryption types.

[RFC3962]第8节中描述的关于字符串到密钥算法的安全注意事项也适用于Camellia加密类型。

At the time of writing this document, there are no known weak keys for Camellia, and no security problem has been found on Camellia (see [NESSIE], [CRYPTREC], and [LNCS5867]).

在编写本文档时,Camellia没有已知的弱密钥,也没有发现Camellia存在任何安全问题(请参见[NESSIE]、[CRYPTREC]和[LNCS5867])。

9. IANA Considerations
9. IANA考虑

IANA has assigned the following numbers from the Encryption Type Numbers and Checksum Type Numbers registries defined in [RFC3961], Section 11.

IANA已从[RFC3961]第11节中定义的加密类型号和校验和类型号注册表中分配了以下编号。

Encryption types

加密类型

               +-------+----------------------+-----------+
               | etype | encryption type      | Reference |
               +-------+----------------------+-----------+
               | 25    | camellia128-cts-cmac | [RFC6803] |
               | 26    | camellia256-cts-cmac | [RFC6803] |
               +-------+----------------------+-----------+
        
               +-------+----------------------+-----------+
               | etype | encryption type      | Reference |
               +-------+----------------------+-----------+
               | 25    | camellia128-cts-cmac | [RFC6803] |
               | 26    | camellia256-cts-cmac | [RFC6803] |
               +-------+----------------------+-----------+
        

Checksum types

校验和类型

     +---------------+------------------+---------------+-----------+
     | sumtype value | Checksum type    | checksum size | Reference |
     +---------------+------------------+---------------+-----------+
     | 17            | cmac-camellia128 | 16            | [RFC6803] |
     | 18            | cmac-camellia256 | 16            | [RFC6803] |
     +---------------+------------------+---------------+-----------+
        
     +---------------+------------------+---------------+-----------+
     | sumtype value | Checksum type    | checksum size | Reference |
     +---------------+------------------+---------------+-----------+
     | 17            | cmac-camellia128 | 16            | [RFC6803] |
     | 18            | cmac-camellia256 | 16            | [RFC6803] |
     +---------------+------------------+---------------+-----------+
        
10. Test Vectors
10. 测试向量

Sample results for string-to-key conversion:

字符串到键转换的示例结果:

Iteration count = 1 Pass phrase = "password" Salt = "ATHENA.MIT.EDUraeburn" 128-bit Camellia key: 57 D0 29 72 98 FF D9 D3 5D E5 A4 7F B4 BD E2 4B 256-bit Camellia key: B9 D6 82 8B 20 56 B7 BE 65 6D 88 A1 23 B1 FA C6 82 14 AC 2B 72 7E CF 5F 69 AF E0 C4 DF 2A 6D 2C

迭代计数=1通过短语=“password”Salt=“ATHENA.MIT.EDUraeburn”128位茶花键:57 D0 29 72 98 FF D9 D3 5D E5 A4 7F B4 BD E2 4B 256位茶花键:B9 D6 82 8B 20 56 B7 BE 65 6D 88 A1 23 B1 FA C6 82 14 AC 2B 72 7E CF 5F 69 AF E0 C4 DF 2A 6D 2C

Iteration count = 2 Pass phrase = "password" Salt = "ATHENA.MIT.EDUraeburn" 128-bit Camellia key: 73 F1 B5 3A A0 F3 10 F9 3B 1D E8 CC AA 0C B1 52 256-bit Camellia key: 83 FC 58 66 E5 F8 F4 C6 F3 86 63 C6 5C 87 54 9F 34 2B C4 7E D3 94 DC 9D 3C D4 D1 63 AD E3 75 E3

迭代计数=2通过短语=“password”Salt=“ATHENA.MIT.EDUraeburn”128位茶花键:73 F1 B5 3A A0 F3 10 F9 3B 1D E8 CC AA 0C B1 52 256位茶花键:83 FC 58 66 E5 F8 F4 C6 F3 86 63 C6 5C 87 54 9F 34 2B C4 7E D3 94 DC 9D 3C D4 D1 63 AD E3 75 E3

Iteration count = 1200 Pass phrase = "password" Salt = "ATHENA.MIT.EDUraeburn" 128-bit Camellia key: 8E 57 11 45 45 28 55 57 5F D9 16 E7 B0 44 87 AA 256-bit Camellia key: 77 F4 21 A6 F2 5E 13 83 95 E8 37 E5 D8 5D 38 5B 4C 1B FD 77 2E 11 2C D9 20 8C E7 2A 53 0B 15 E6

迭代计数=1200 Pass phrase=“password”Salt=“ATHENA.MIT.EDUraeburn”128位茶花密钥:8E 57 11 45 28 55 57 5F D9 16 E7 B0 44 87 AA 256位茶花密钥:77 F4 21 A6 F2 5E 13 83 95 E8 37 E5 D8 5D 38 5B 4C 1B FD 77 2E 11 2C D9 20 8C E7 53 0B 15 E6

Iteration count = 5 Pass phrase = "password" Salt=0x1234567878563412 128-bit Camellia key: 00 49 8F D9 16 BF C1 C2 B1 03 1C 17 08 01 B3 81 256-bit Camellia key: 11 08 3A 00 BD FE 6A 41 B2 F1 97 16 D6 20 2F 0A FA 94 28 9A FE 8B 27 A0 49 BD 28 B1 D7 6C 38 9A

迭代计数=5 Pass phrase=“password”Salt=0x123456788563412 128位茶花键:00 49 8F D9 16 BF C1 C2 B1 03 1C 17 08 01 B3 81 256位茶花键:11 08 3A 00 BD FE 6A 41 B2 F1 97 16 D6 20 2F 0A FA 94 28 9A FE 8B 27 A0 49 BD 28 B1 D7 6C 38 9A

   Iteration count = 1200
   Pass phrase = (64 characters)
     "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
   Salt="pass phrase equals block size"
   128-bit Camellia key:
       8B F6 C3 EF 70 9B 98 1D BB 58 5D 08 68 43 BE 05
   256-bit Camellia key:
       11 9F E2 A1 CB 0B 1B E0 10 B9 06 7A 73 DB 63 ED
       46 65 B4 E5 3A 98 D1 78 03 5D CF E8 43 A6 B9 B0
        
   Iteration count = 1200
   Pass phrase = (64 characters)
     "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
   Salt="pass phrase equals block size"
   128-bit Camellia key:
       8B F6 C3 EF 70 9B 98 1D BB 58 5D 08 68 43 BE 05
   256-bit Camellia key:
       11 9F E2 A1 CB 0B 1B E0 10 B9 06 7A 73 DB 63 ED
       46 65 B4 E5 3A 98 D1 78 03 5D CF E8 43 A6 B9 B0
        
   Iteration count = 1200
   Pass phrase = (65 characters)
     "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
   Salt = "pass phrase exceeds block size"
   128-bit Camellia key:
       57 52 AC 8D 6A D1 CC FE 84 30 B3 12 87 1C 2F 74
   256-bit Camellia key:
       61 4D 5D FC 0B A6 D3 90 B4 12 B8 9A E4 D5 B0 88
       B6 12 B3 16 51 09 94 67 9D DB 43 83 C7 12 6D DF
        
   Iteration count = 1200
   Pass phrase = (65 characters)
     "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
   Salt = "pass phrase exceeds block size"
   128-bit Camellia key:
       57 52 AC 8D 6A D1 CC FE 84 30 B3 12 87 1C 2F 74
   256-bit Camellia key:
       61 4D 5D FC 0B A6 D3 90 B4 12 B8 9A E4 D5 B0 88
       B6 12 B3 16 51 09 94 67 9D DB 43 83 C7 12 6D DF
        

Iteration count = 50 Pass phrase = g-clef (0xf09d849e) Salt = "EXAMPLE.COMpianist" 128-bit Camellia key: CC 75 C7 FD 26 0F 1C 16 58 01 1F CC 0D 56 06 16 256-bit Camellia key: 16 3B 76 8C 6D B1 48 B4 EE C7 16 3D F5 AE D7 0E 20 6B 68 CE C0 78 BC 06 9E D6 8A 7E D3 6B 1E CC

迭代计数=50通行短语=g-clef(0xf09d849e)Salt=“EXAMPLE.COMpianist”128位茶花键:CC 75 C7 FD 26 0F 1C 16 58 01 1F CC 0D 56 06 16 256位茶花键:16 3B 76 8C 6D B1 48 B4 EE C7 16 3D F5 AE D7 0E 20 6B 68 CE C0 78 BC 06 9E D6 8A 7E D3 6B 1E CC

Sample results for key derivation:

密钥派生的示例结果:

128-bit Camellia key: 57 D0 29 72 98 FF D9 D3 5D E5 A4 7F B4 BD E2 4B Kc value for key usage 2 (constant = 0x0000000299): D1 55 77 5A 20 9D 05 F0 2B 38 D4 2A 38 9E 5A 56 Ke value for key usage 2 (constant = 0x00000002AA): 64 DF 83 F8 5A 53 2F 17 57 7D 8C 37 03 57 96 AB Ki value for key usage 2 (constant = 0x0000000255): 3E 4F BD F3 0F B8 25 9C 42 5C B6 C9 6F 1F 46 35

128位Camellia密钥:57 D0 29 72 98 FF D9 D3 5D E5 A4 7F B4 BD E2 4B密钥使用2的Kc值(常数=0x0000000299):D1 55 77 5A 20 9D 05 F0 2B 38 D4 2A 38 9E 5A 56 Ke密钥使用2的Ke值(常数=0x00000002AA):64 DF 83 F8 5A 53 2F 17 57 7D 8C 37 03 57 96 AB Ki密钥使用2的值(常数=0x0000000255):3E 4F BD F3 0F B8 25 9C 42 5C B6 C9 6F 1F 46 35

256-bit Camellia key: B9 D6 82 8B 20 56 B7 BE 65 6D 88 A1 23 B1 FA C6 82 14 AC 2B 72 7E CF 5F 69 AF E0 C4 DF 2A 6D 2C Kc value for key usage 2 (constant = 0x0000000299): E4 67 F9 A9 55 2B C7 D3 15 5A 62 20 AF 9C 19 22 0E EE D4 FF 78 B0 D1 E6 A1 54 49 91 46 1A 9E 50 Ke value for key usage 2 (constant = 0x00000002AA): 41 2A EF C3 62 A7 28 5F C3 96 6C 6A 51 81 E7 60 5A E6 75 23 5B 6D 54 9F BF C9 AB 66 30 A4 C6 04 Ki value for key usage 2 (constant = 0x0000000255): FA 62 4F A0 E5 23 99 3F A3 88 AE FD C6 7E 67 EB CD 8C 08 E8 A0 24 6B 1D 73 B0 D1 DD 9F C5 82 B0

256位Camellia密钥:B9 D6 82 8B 20 56 B7 BE 65 6D 88 A1 23 B1 FA C6 82 14 AC 2B 72 7E CF 5F 69 AF E0 C4 DF 2A 6D 2C密钥使用的Kc值2(常数=0x0000000299):E4 67 F9 A9 55 2B C7 D3 15 5A 62 20 AF 9C 19 22 0E EE D4 FF 78 B0 D1 E6 A1 54 49 91 1A 9E 50 Ke密钥使用的值2(常数=0x00000002AA):41 2A EF C3 62 A7 28 5F C3 96 6C 6A 51 81 E7 60 5A E6 75 23 5B 6D 54 9F BF C9 AB 66 30 A4 C6 04密钥使用2的Ki值(常数=0x0000000255):FA 62 4F A0 E5 23 99 3F A3 88 AE FD C6 7E 67 EB CD 8C 08 E8 A0 24 6B 1D 73 B0 D1 DD 9F C5 82 B0

Sample encryptions (all using the default cipher state):

加密示例(全部使用默认密码状态):

Plaintext: (empty) 128-bit Camellia key: 1D C4 6A 8D 76 3F 4F 93 74 2B CB A3 38 75 76 C3 Random confounder: B6 98 22 A1 9A 6B 09 C0 EB C8 55 7D 1F 1B 6C 0A Ciphertext: C4 66 F1 87 10 69 92 1E DB 7C 6F DE 24 4A 52 DB 0B A1 0E DC 19 7B DB 80 06 65 8C A3 CC CE 6E B8

明文:(空)128位Camellia密钥:1D C4 6A 8D 76 3F 4F 93 74 2B CB A3 38 75 76 C3随机混杂因子:B6 98 22 A1 9A 6B 09 C0 EB C8 55 7D 1F 1B 6C 0A密文:C4 66 F1 87 10 69 92 1E DB 7C 6F DE 24 4A 52 DB 0B A1 0E DC 19 7B DB 80 06 65 8C A3 CC CE 6E B8

Plaintext: 1 Random confounder: 6F 2F C3 C2 A1 66 FD 88 98 96 7A 83 DE 95 96 D9 128-bit Camellia key: 50 27 BC 23 1D 0F 3A 9D 23 33 3F 1C A6 FD BE 7C Ciphertext: 84 2D 21 FD 95 03 11 C0 DD 46 4A 3F 4B E8 D6 DA 88 A5 6D 55 9C 9B 47 D3 F9 A8 50 67 AF 66 15 59 B8

明文:1随机混杂因素:6F 2F C3 C2 A1 66 FD 88 98 96 7A 83 DE 95 96 D9 128位茶花键:50 27 BC 23 1D 0F 3A 9D 23 33 F 1C A6 FD BE 7C密文:84 2D 21 FD 95 03 11 C0 DD 46 4A 3F 4B E8 D6 DA 88 A5 6D 55 9C 9B 47 D3 F9 A8 50 67 AF 66 59 B8

Plaintext: 9 bytesss Random confounder: A5 B4 A7 1E 07 7A EE F9 3C 87 63 C1 8F DB 1F 10 128-bit Camellia key: A1 BB 61 E8 05 F9 BA 6D DE 8F DB DD C0 5C DE A0 Ciphertext: 61 9F F0 72 E3 62 86 FF 0A 28 DE B3 A3 52 EC 0D 0E DF 5C 51 60 D6 63 C9 01 75 8C CF 9D 1E D3 3D 71 DB 8F 23 AA BF 83 48 A0

明文:9字节随机混杂:A5 B4 A7 1E 07 7A EE F9 3C 87 63 C1 8F DB 1F 10 128位茶花键:A1 BB 61 E8 05 F9 BA 6D DE 8F DB DD C0 5C DE A0密文:61 9F F0 72 E3 62 86 FF 0A 28 DE B3 52 EC 0D 0E DF 5C 51 60 D6 63 C9 01 75 8C CF 9D 1E D3 3D 71 DB 23 AA BF 83 48 A0

Plaintext: 13 bytes byte Random confounder: 19 FE E4 0D 81 0C 52 4B 5B 22 F0 18 74 C6 93 DA 128-bit Camellia key: 2C A2 7A 5F AF 55 32 24 45 06 43 4E 1C EF 66 76 Ciphertext: B8 EC A3 16 7A E6 31 55 12 E5 9F 98 A7 C5 00 20 5E 5F 63 FF 3B B3 89 AF 1C 41 A2 1D 64 0D 86 15 C9 ED 3F BE B0 5A B6 AC B6 76 89 B5 EA

明文:13字节字节随机混杂:19 FE E4 0D 81 0C 52 4B 5B 22 F0 18 74 C6 93 DA 128位茶花密钥:2C A2 7A 5F AF 55 32 24 45 06 43 4E 1C EF 66 76密文:B8 EC A3 16 7A E6 31 55 12 E5 9F 98 A7 C5 00 20 5E 5F 63 FF 3B 89 AF 1C 41 A2 64 0D 86 15 C9 ED 3F BE 5A B6 AC B6 76 B5 EA

Plaintext: 30 bytes bytes bytes bytes byt Random confounder: CA 7A 7A B4 BE 19 2D AB D6 03 50 6D B1 9C 39 E2 128-bit Camellia key: 78 24 F8 C1 6F 83 FF 35 4C 6B F7 51 5B 97 3F 43 Ciphertext: A2 6A 39 05 A4 FF D5 81 6B 7B 1E 27 38 0D 08 09 0C 8E C1 F3 04 49 6E 1A BD CD 2B DC D1 DF FC 66 09 89 E1 17 A7 13 DD BB 57 A4 14 6C 15 87 CB A4 35 66 65 59 1D 22 40 28 2F 58 42 B1 05 A5

明文:30字节字节字节byt随机混杂:CA 7A B4 BE 19 2D AB D6 03 50 6D B1 9C 39 E2 128位茶花键:78 24 F8 C1 6F 83 FF 35 4C 6B F7 51 5B 97 3F 43密文:A2 6A 39 05 A4 FF D5 81 6B 7B 1E 27 38 0D 08 09 0C 8E C1 F3 04 49 6E 1A BD CD 2B DC D1 FC 66 09 89 E1 17 A7 13 DD 57 A4 14 6C 15 CB A4 35 66 59 1D22 40 28 2F 58 42 B1 05 A5

Plaintext: (empty) Random confounder: 3C BB D2 B4 59 17 94 10 67 F9 65 99 BB 98 92 6C 256-bit Camellia key: B6 1C 86 CC 4E 5D 27 57 54 5A D4 23 39 9F B7 03 1E CA B9 13 CB B9 00 BD 7A 3C 6D D8 BF 92 01 5B Ciphertext: 03 88 6D 03 31 0B 47 A6 D8 F0 6D 7B 94 D1 DD 83 7E CC E3 15 EF 65 2A FF 62 08 59 D9 4A 25 92 66

明文:(空)随机混杂因子:3C BB D2 B4 59 17 94 10 67 F9 65 99 BB 98 92 6C 256位茶花键:B6 1C 86 CC 4E 5D 27 57 54 5A D4 23 39 9F B7 03 1E CA B9 13 CB B9 00 BD 7A 3C 6D D8 BF 92 01 5B密文:03 88 6D 03 31 0B 47 A6 D8 F0 6D 7B 94 D1 DD 83 7E CC E3 15 EF 65 2A FF 62 08 59 D9 4A 25 92 66

Plaintext: 1 Random confounder: DE F4 87 FC EB E6 DE 63 46 D4 DA 45 21 BB A2 D2 256-bit Camellia key: 1B 97 FE 0A 19 0E 20 21 EB 30 75 3E 1B 6E 1E 77 B0 75 4B 1D 68 46 10 35 58 64 10 49 63 46 38 33 Ciphertext: 2C 9C 15 70 13 3C 99 BF 6A 34 BC 1B 02 12 00 2F D1 94 33 87 49 DB 41 35 49 7A 34 7C FC D9 D1 8A 12

明文:1随机混杂因素:DE F4 87 FC EB E6 DE 63 46 D4 DA 45 21 BB A2 D2 256位茶花键:1B 97 FE 0A 19 0E 20 21 EB 30 75 3E 1B 6E 1E 77 B0 75 4B 1D 68 46 10 35 58 64 10 49 63 38 33密文:2C 9C 15 70 13 3C 99 BF 6A 34 BC 1B 02 12 00 2F D1 94 33 87 49 DB 41 35 49 7A 34 7C FC D9 D1 8A 12

Plaintext: 9 bytesss Random confounder: AD 4F F9 04 D3 4E 55 53 84 B1 41 00 FC 46 5F 88 256-bit Camellia key: 32 16 4C 5B 43 4D 1D 15 38 E4 CF D9 BE 80 40 FE 8C 4A C7 AC C4 B9 3D 33 14 D2 13 36 68 14 7A 05 Ciphertext: 9C 6D E7 5F 81 2D E7 ED 0D 28 B2 96 35 57 A1 15 64 09 98 27 5B 0A F5 15 27 09 91 3F F5 2A 2A 9C 8E 63 B8 72 F9 2E 64 C8 39

明文:9 bytess随机混杂:AD 4F F9 04 D3 4E 55 53 84 B1 41 00 FC 46 5F 88 256位茶花键:32 16 4C 5B 43 4D 1D 15 38 E4 CF D9 BE 80 40 FE 8C 4A C7 AC C4 B9 3D 33 14 D2 13 36 68 14 7A 05密文:9C 6D E7 5F 81 2D E7 ED 0D 28 B2 96 35 57 A1 15 64 09 98 27 5B 0A F5 27 09 3F F5 2A 9C 8E 63 B8 72 F9 2E 64 C8 39

Plaintext: 13 bytes byte Random confounder: CF 9B CA 6D F1 14 4E 0C 0A F9 B8 F3 4C 90 D5 14 256-bit Camellia key: B0 38 B1 32 CD 8E 06 61 22 67 FA B7 17 00 66 D8 8A EC CB A0 B7 44 BF C6 0D C8 9B CA 18 2D 07 15 Ciphertext: EE EC 85 A9 81 3C DC 53 67 72 AB 9B 42 DE FC 57 06 F7 26 E9 75 DD E0 5A 87 EB 54 06 EA 32 4C A1 85 C9 98 6B 42 AA BE 79 4B 84 82 1B EE

纯文本:13字节字节字节随机混杂:CF 9B CA 6D F1 14 4E 0C 0A F9 B8 F3 4C 90 D5 14 256位茶花键:B0 38 B1 32 CD 8E 06 61 22 67 FA B7 17 00 66 D8 8A EC CB A0 B7 44 BF C6 0D C8 9B CA 18 2D 07 15密文:EE EC 85 A9 81 3C DC 53 67 AB 9B 42 DE FC 57 06 F7 26 E9 75 DD E0 5A 87 EB 54 06 EA 32 4C A1 85 C9 98 6B 42 AA BE 79 4B 8482 1B EE

Plaintext: 30 bytes bytes bytes bytes byt Random confounder: 64 4D EF 38 DA 35 00 72 75 87 8D 21 68 55 E2 28 256-bit Camellia key: CC FC D3 49 BF 4C 66 77 E8 6E 4B 02 B8 EA B9 24 A5 46 AC 73 1C F9 BF 69 89 B9 96 E7 D6 BF BB A7 Ciphertext: 0E 44 68 09 85 85 5F 2D 1F 18 12 52 9C A8 3B FD 8E 34 9D E6 FD 9A DA 0B AA A0 48 D6 8E 26 5F EB F3 4A D1 25 5A 34 49 99 AD 37 14 68 87 A6 C6 84 57 31 AC 7F 46 37 6A 05 04 CD 06 57 14 74

纯文本:30字节字节字节byt随机混淆因子:64 4D EF 38 DA 35 00 72 75 87 8D 21 68 55 E2 28 256位茶花键:CC FC D3 49 BF 4C 66 77 E8 6E 4B 02 B8 EA B9 24 A5 46 AC 73 1C F9 BF 69 89 B9 96 E7 D6 BF BB A7密文:0E 44 68 09 85 5F 2D 1F 18 12 52 9C A8 3B FD 8E 34 9D E6 FD 9A AA 48 D6 8E 26 5F EB F3 4A D1 25 5A34 49 99 AD 37 14 68 87 A6 C6 84 57 31 AC 7F 46 37 6A 05 04 CD 06 57 14 74

Sample checksums:

校验和示例:

Plaintext: abcdefghijk Checksum type: cmac-camellia128 128-bit Camellia key: 1D C4 6A 8D 76 3F 4F 93 74 2B CB A3 38 75 76 C3 Key usage: 7 Checksum: 11 78 E6 C5 C4 7A 8C 1A E0 C4 B9 C7 D4 EB 7B 6B

明文:abcdefghijk校验和类型:cmac-camellia128位Camellia密钥:1D C4 6A 8D 76 3F 4F 93 74 2B CB A3 38 75 76 C3密钥用法:7校验和:11 78 E6 C5 C4 7A 8C 1A E0 C4 B9 C7 D4 EB 7B 6B

Plaintext: ABCDEFGHIJKLMNOPQRSTUVWXYZ Checksum type: cmac-camellia128 128-bit Camellia key: 50 27 BC 23 1D 0F 3A 9D 23 33 3F 1C A6 FD BE 7C Key usage: 8 Checksum: D1 B3 4F 70 04 A7 31 F2 3A 0C 00 BF 6C 3F 75 3A

明文:ABCDEFGHIJKLMNOPQRSTUVXYZ校验和类型:cmac-camellia128 128位Camellia密钥:50 27 BC 23 1D 0F 3A 9D 23 33 3F 1C A6 FD BE 7C密钥用法:8校验和:D1 B3 4F 70 04 A7 31 F2 3A 0C 00 BF 6C 3F 75 3A

Plaintext: 123456789 Checksum type: cmac-camellia256 256-bit Camellia key: B6 1C 86 CC 4E 5D 27 57 54 5A D4 23 39 9F B7 03 1E CA B9 13 CB B9 00 BD 7A 3C 6D D8 BF 92 01 5B Key usage: 9 Checksum: 87 A1 2C FD 2B 96 21 48 10 F0 1C 82 6E 77 44 B1

明文:123456789校验和类型:cmac-Camellia 256位Camellia密钥:B6 1C 86 CC 4E 5D 27 57 54 5A D4 23 39 9F B7 03 1E CA B9 13 CB B9 00 BD 7A 3C 6D D8 BF 92 01 5B密钥用法:9校验和:87 A1 2C FD 2B 96 21 48 10 F0 1C 82 6E 77 44 B1

   Plaintext: !@#$%^&*()!@#$%^&*()!@#$%^&*()
   Checksum type: cmac-camellia256
   256-bit Camellia key:
       32 16 4C 5B 43 4D 1D 15 38 E4 CF D9 BE 80 40 FE
       8C 4A C7 AC C4 B9 3D 33 14 D2 13 36 68 14 7A 05
   Key usage: 10
   Checksum:
       3F A0 B4 23 55 E5 2B 18 91 87 29 4A A2 52 AB 64
        
   Plaintext: !@#$%^&*()!@#$%^&*()!@#$%^&*()
   Checksum type: cmac-camellia256
   256-bit Camellia key:
       32 16 4C 5B 43 4D 1D 15 38 E4 CF D9 BE 80 40 FE
       8C 4A C7 AC C4 B9 3D 33 14 D2 13 36 68 14 7A 05
   Key usage: 10
   Checksum:
       3F A0 B4 23 55 E5 2B 18 91 87 29 4A A2 52 AB 64
        
11. References
11. 工具书类
11.1. Normative References
11.1. 规范性引用文件

[RFC3713] Matsui, M., Nakajima, J., and S. Moriai, "A Description of the Camellia Encryption Algorithm", RFC 3713, April 2004.

[RFC3713]Matsui,M.,Nakajima,J.,和S.Moraii,“茶花加密算法的描述”,RFC 37132004年4月。

[RFC3961] Raeburn, K., "Encryption and Checksum Specifications for Kerberos 5", RFC 3961, February 2005.

[RFC3961]Raeburn,K.,“Kerberos 5的加密和校验和规范”,RFC 3961,2005年2月。

[RFC3962] Raeburn, K., "Advanced Encryption Standard (AES) Encryption for Kerberos 5", RFC 3962, February 2005.

[RFC3962]Raeburn,K.,“Kerberos 5的高级加密标准(AES)加密”,RFC 3962,2005年2月。

[SP800-108] Chen, L., "Recommendation for Key Derivation Using Pseudorandom Functions", NIST Special Publication 800& nhby;108, October 2009.

[SP800-108]Chen,L.“使用伪随机函数进行密钥推导的建议”,NIST特别出版物800&nhby;2009年10月108日。

[SP800-38B] Dworkin, M., "Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication", NIST Special Publication 800-38B, October 2009.

[SP800-38B]德沃金,M.“分组密码操作模式的建议:认证的CMAC模式”,NIST特别出版物800-38B,2009年10月。

11.2. Informative References
11.2. 资料性引用

[CRYPTOENG] Schneier, B., "Cryptography Engineering", March 2010.

[CRYPTOENG]Schneier,B.,“密码工程”,2010年3月。

[CRYPTREC] Information-technology Promotion Agency (IPA), Japan, "Cryptography Research and Evaluation Committees", <http://www.ipa.go.jp/security/enc/CRYPTREC/ index-e.html>.

[CRYPTREC]日本信息技术促进机构(IPA),“密码学研究和评估委员会”<http://www.ipa.go.jp/security/enc/CRYPTREC/ index-e.html>。

[LNCS5867] Mala, H., Shakiba, M., Dakhilalian, M., and G. Bagherikaram, "New Results on Impossible Different Cryptanalysis of Reduced-Round Camellia-128", Lecture Notes in Computer Science, Vol. 5867, November 2009, <http://www.springerlink.com/content/e55783u422436g77/>.

[LNCS5867]Mala,H.,Shakiba,M.,Dakhalian,M.,和G.Bagherikaram,“简化圆茶花-128不可能不同密码分析的新结果”,计算机科学讲稿,第5867卷,2009年11月<http://www.springerlink.com/content/e55783u422436g77/>.

[NESSIE] The NESSIE Project, "New European Schemes for Signatures, Integrity, and Encryption", <http://www.cosic.esat.kuleuven.be/nessie/>.

[NESSIE]NESSIE项目,“新的欧洲签名、完整性和加密方案”<http://www.cosic.esat.kuleuven.be/nessie/>.

Appendix A. Acknowledgements
附录A.确认书

The author would like to thank Ken Raeburn, Satoru Kanno, Jeffrey Hutzelman, Nico Williams, Sam Hartman, and Tom Yu for their help in reviewing and providing feedback on this document.

作者感谢Ken Raeburn、Satoru Kanno、Jeffrey Hutzelman、Nico Williams、Sam Hartman和Tom Yu在审查和提供本文件反馈方面提供的帮助。

Author's Address

作者地址

Greg Hudson MIT Kerberos Consortium

格雷格·哈德森麻省理工学院Kerberos联合会

   EMail: ghudson@mit.edu
        
   EMail: ghudson@mit.edu