IPSECME B. Salter Internet-Draft A. Raine Intended status: Standards Track J. Cruickshanks Expires: 7 April 2025 UK National Cyber Security Centre 4 October 2024 Use of SHA-3 in the Internet Key Exchange Protocol Version 2 (IKEv2) and IPsec draft-salter-ipsecme-sha3-00 Abstract This document specifies the use of HMAC-SHA3-256, HMAC-SHA3-384, HMAC-SHA3-512, KMAC128 and KMAC256 within the Internet Key Exchange Version 2 (IKEv2), Encapsulating Security Payload (ESP), and Authentication Header (AH) protocols. These algorithms can be used as integrity protection algorithms for ESP, AH and IKEv2, and as Pseudo-Random Functions (PRFs) for IKEv2. Requirements for supporting signature algorithms in IKEv2 that use SHA3-224, SHA3-256, SHA3-384 and SHA3-512 are also specified. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 7 April 2025. Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights Salter, et al. Expires 7 April 2025 [Page 1] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 3. SHA-3 and Keccak . . . . . . . . . . . . . . . . . . . . . . 4 4. APIs for SHA-3 . . . . . . . . . . . . . . . . . . . . . . . 5 5. Constraints on SHA-3 inputs and outputs . . . . . . . . . . . 6 6. Padding . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 6.1. HMAC Key Padding . . . . . . . . . . . . . . . . . . . . 8 6.2. KMAC Key Padding . . . . . . . . . . . . . . . . . . . . 8 7. Parameters and security strengths for SHA-3 algorithms . . . 9 8. SHA-3 as a PRF in IKEv2 . . . . . . . . . . . . . . . . . . . 11 8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 12 8.2. HMAC-SHA3 . . . . . . . . . . . . . . . . . . . . . . . . 12 8.3. KMAC . . . . . . . . . . . . . . . . . . . . . . . . . . 12 8.3.1. KMAC as a PRF . . . . . . . . . . . . . . . . . . . . 12 8.3.2. KMAC in prf+ . . . . . . . . . . . . . . . . . . . . 13 9. SHA-3 for authentication and integrity protection in ESP, AH and IKEv2 . . . . . . . . . . . . . . . . . . . . . . . . 13 9.1. HMAC-SHA3 . . . . . . . . . . . . . . . . . . . . . . . . 14 9.2. KMAC . . . . . . . . . . . . . . . . . . . . . . . . . . 14 10. SHAKE and SHA-3 in IKEv2 . . . . . . . . . . . . . . . . . . 14 11. Security Considerations . . . . . . . . . . . . . . . . . . . 15 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 13.1. Normative References . . . . . . . . . . . . . . . . . . 18 13.2. Informative References . . . . . . . . . . . . . . . . . 19 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 20 A.1. PRF Test Vectors . . . . . . . . . . . . . . . . . . . . 21 A.1.1. HMAC-SHA3-256 PRF Test Vectors . . . . . . . . . . . 21 A.1.2. HMAC-SHA3-384 PRF Test Vectors . . . . . . . . . . . 22 A.1.3. HMAC-SHA3-512 PRF Test Vectors . . . . . . . . . . . 24 A.1.4. KMAC128 PRF Test Vectors . . . . . . . . . . . . . . 25 A.1.5. KMAC256 PRF Test Vectors . . . . . . . . . . . . . . 26 A.2. KDF Test Vectors . . . . . . . . . . . . . . . . . . . . 27 A.2.1. HMAC-SHA3-256 KDF Test Vectors . . . . . . . . . . . 27 A.2.2. HMAC-SHA3-384 KDF Test Vectors . . . . . . . . . . . 30 A.2.3. HMAC-SHA3-512 KDF Test Vectors . . . . . . . . . . . 33 A.2.4. KMAC128 KDF Test Vectors . . . . . . . . . . . . . . 35 A.2.5. KMAC256 KDF Test Vectors . . . . . . . . . . . . . . 38 A.3. HMAC-SHA3 IKEv2 and IPsec Integrity Protection Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . . 42 Salter, et al. Expires 7 April 2025 [Page 2] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 A.3.1. HMAC-SHA3-256 IKEv2 and IPsec Integrity Protection Test Vectors . . . . . . . . . . . . . . . . . . . . . . . 42 A.3.2. HMAC-SHA3-384 IKEv2 and IPsec Integrity Protection Test Vectors . . . . . . . . . . . . . . . . . . . . . . . 42 A.3.3. HMAC-SHA3-512 IKEv2 and IPsec Integrity Protection Test Vectors . . . . . . . . . . . . . . . . . . . . . . . 42 A.4. KMAC IKEv2 Integrity Protection Test Vectors . . . . . . 43 A.4.1. KMAC128 IKEv2 Integrity Protection Test Vectors . . . 43 A.4.2. KMAC256 IKEv2 Integrity Protection Test Vectors . . . 43 A.5. KMAC IPsec Integrity Protection Test Vectors . . . . . . 44 A.5.1. KMAC128 IKEv2 Integrity Protection Test Vectors . . . 44 A.5.2. KMAC256 IKEv2 Integrity Protection Test Vectors . . . 44 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 45 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 45 1. Introduction [FIPS-202] specifies both the SHA3-256, SHA3-384 and SHA3-512 cryptographic hash functions, and the SHAKE eXtendable-output functions (XOFs). HMAC [RFC2104] can be used with cryptographic hash functions to generate message authentication codes (MACs) that can be used for integrity protection for IKEv2 or IPsec, or as a PRF for IKEv2. [SP-800-185] specifies KMAC128 and KMAC256, which use variants of SHAKE128 and SHAKE256 respectively to create a MAC. Like the output of SHAKE, the MAC output of KMAC can be of any length required by the application. This document specifies how to use HMAC-SHA3-256, HMAC-SHA3-384, HMAC-SHA3-512, KMAC128, and KMAC256 with IKEv2 and IPsec. It also allocates values used for announcing support of SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, and SHAKE256 when generating and validating signatures in IKEv2. EDNOTE: HMAC-SHA3-224 has been ignored as it doesn't have an equivalent in RFC 4868. draft-ietf-lamps-cms-sha3-hash includes support for SHA3-224 with ECDSA, hence its inclusion in the hash functions registry. Should SHA3-224/HMAC-SHA3-224 be specified for use in IKEv2/IPsec? Can/should the output be truncated safely for auth/integrity protection? 2. Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. Salter, et al. Expires 7 April 2025 [Page 3] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 Additionally, this document uses several terms to collectively refer to sets of algorithms. The term "SHA-3 cryptographic hash functions" is used to collectively refer to SHA3-256, SHA3-384 and SHA3-512. The term "HMAC" is used to refer to the Keyed-Hash Message Authentication Code algorithm generally, independent of specific cryptographic hash functions. The term "HMAC-SHA3" is used to collectively refer to HMAC-SHA3-256, HMAC-SHA3-384 and HMAC-SHA3-512. The term "KMAC" is used to collectively refer to KMAC-128 and KMAC- 256. The term "SHA-3" (without any other qualifiers) is used to collectively refer to the cryptographic algorithms defined in [FIPS-202] and [SP-800-185]. The term "SHA-2" (without any other qualifiers) is used to collectively refer to SHA-224, SHA-256, SHA-384 and SHA-512. The term "SHAKE" is used to collectively refer to SHAKE128 and SHAKE256. 3. SHA-3 and Keccak SHA-3 is a collection of cryptographic algorithms that all utilise the Keccak sponge construction. [FIPS-202] describes the SHA-3 cryptographic hash functions, which produce a fixed length digest for any length of input. These hash functions are intended to be used in the same manner and contexts as other traditional hash functions such as SHA-2. [FIPS-202] also describes the SHAKE XOFs. An XOF differs from a traditional hash function in that the length of the XOF's output can be chosen by the application that uses it. [SP-800-185] describes cSHAKE, a customisable version of SHAKE, and KMAC, which is a PRF and keyed hash function that utilises cSHAKE. Like SHAKE and cSHAKE, the length of KMAC's output is application-dependent. SHA-3 was specified to provide applications with an alternative to SHA-2, which is based on the Merkle-Damgård construction. Use of the Merkle-Damgård construction in SHA-2 means that length extension attacks are possible if SHA-2 isn't used correctly. At the time of writing, use of SHA-2 in IPsec is believed to be secure, and hence there is no security motivation to migrate away from SHA-2 to SHA-3 in this context. However, in the event that a significant attack on SHA-2 is discovered, SHA-3 will be an immediately viable alternative. Salter, et al. Expires 7 April 2025 [Page 4] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 Migration to use of post-quantum algorithms in IKEv2 may make use of SHA-3 more appealing for minimal implementations of IPsec, as [ML-KEM], [ML-DSA], [SLH-DSA] and [FALCON] all make use of SHA-3 internally. Since support for SHA-3 is required to implement these algorithms, some implementers may find it preferable to implement SHA-3, and only SHA-3, if interoperability with general-purpose IKEv2 and IPsec implementations is not required. KMAC is more efficient than HMAC-SHA3, as it directly uses the Keccak sponge function to produce a MAC, rather than treating Keccak as a traditional cryptographic hash function, and then feeding that hash function into a separate MAC algorithm. This would imply that use of KMAC is strictly preferred over HMAC-SHA3 and that HMAC-SHA3 shouldn't be implemented. However, as HMAC doesn't produce variable- length output and is widely utilised in IPsec implementations already, upgrading these implementations to support HMAC-SHA3 may be a simpler task than upgrading them to support KMAC. 4. APIs for SHA-3 To make it easier to compare HMAC and KMAC, basic APIs for each are defined below. The symbols used in these APIs broadly conform to those described in [SP-800-185]. KMAC and HMAC implementations used in IKEv2 and IPsec do not need to conform to these APIs exactly, they're merely used in this document for illustrative purposes. For the purposes of this document, the API for HMAC is defined as: HMAC(K, X) -> Z Each input and output is a bit string, where: * K is the key. It can be of any length, including zero. * X is the input string. It can be of any length, including zero. * Z is the output string of HMAC, which is a message authentication code. The size of Z is fixed for each HMAC algorithm, and is the same size as the digest produced by the hash function used by that algorithm. For the purposes of this document, the API for KMAC is defined as: KMAC(K, X, L, S) -> Z where: Salter, et al. Expires 7 April 2025 [Page 5] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 * K is the key. It is a bit string of any length, including zero, up to but not including 2^2040 bits. * X is the input string. It is a bit string of any length, including zero. * L is an integer representing the requested output length in bits. This parameter is typically fixed in the context of IKEv2, except when extracting key material using prf+ in IKEv2, where it depends on the length of key material needed by the negotiated cipher suite. * S is an optional customization string. It is a bit string of any length, including zero, up to but not including 2^2040 bits. * Z is the output string of KMAC, which is a message authentication code. It is a bit string of length L. EDNOTE: the symbols chosen above mostly match those in SP 800-15. They also match draft-ietf-lamps-cms-sha3-hash. However, RFC 7296 uses S for the prf+ input string. Would it be better use change X to S, and change S to C? 5. Constraints on SHA-3 inputs and outputs Per [SP-800-185], the length of the K input to KMAC MUST be less than 2^2040 bits. In the context of IKEv2 and IPsec, there is no situation where a key that long would be expected. Initiator and Responder nonces Ni and Nr are used as inputs to IKE PRF calls, although the length of these nonces combined cannot exceed 4096 bits. Shared secrets used for authentication in IKEv2 are used as keys with PRFs negotiated by IKE, and have no upper bound on their length. Therefore, KMAC and HMAC-SHA3 implementations used with IKEv2 MUST at minimum accept K inputs up to and including 4096 bits in length. Implementations MAY restrict the size of pre-shared key inputs such that they do not exceed 4096 bits. There is no algorithm-defined minimum size for the key inputs to KMAC and HMAC-SHA3, but Table 3 and Table 4 describe the size of keys to be used with IKEv2 and IPsec, aligned to the security strength of each algorithm. Using a key smaller than the security strength of the chosen KMAC or HMAC-SHA3 algorithm undermines the security properties of that algorithm. Where IKEv2 is used to create security associations, the size of most PRF keys is automatically managed at the protocol level, and there is no risk of selecting an undersized key in these cases. However, the size of keys used for PRFs in IKE cannot always be controlled. In the case of pre-shared keys used for authentication or protection against a quantum computer, those Salter, et al. Expires 7 April 2025 [Page 6] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 secrets are used as the key input to a PRF negotiated by IKE. That shared secret could be arbitrarily chosen by a user rather than securely generated, or derived from a password, even though [RFC7296] strongly discourages this practice. IKEv2 implementations following the recommendation laid out in [RFC7296] can impose constraints on suitable pre-shared keys. Additionally, Ni and Nr are variable length and are used as the key for KMAC or HMAC-SHA3. [RFC7296] states that each of these nonces MUST be at least 128 bits in size, and MUST be at least half the preferred key size for the negotiated PRF. If an IKE peer sends an undersized nonce, the message containing that nonce can be rejected in the same way as any malformed IKE message would be. Conformant KMAC and HMAC-SHA3 implementations SHOULD reject keys that do not meet the security strength of the corresponding algorithm. The input string X can be a variety of lengths in practice, but will always be a multiple of eight. Similarly, KMAC's output length parameter L will always be a multiple of eight. Since the length of output required from KMAC is always known in advance, KMAC with arbitrary-length output as described in Section 4.3.1 of [SP-800-185] is never used, and thus L is never set to 0. KMAC's customization string S is fixed to a specific value depending on the context in which KMAC is used. Future specifications may define additional customization strings, but the set of valid strings used by KMAC in IKEv2 and IPsec will always be fixed-length context- dependent strings specified in IETF RFCs rather than dynamically created, e.g. via random data. 6. Padding Since the length of the input string X for both HMAC-SHA3 and KMAC varies, and both HMAC-SHA3 and KMAC operate on fixed-size input blocks, padding is required to use HMAC-SHA3 and KMAC in IKEv2 and IPsec. The padding scheme for the SHA-3 cryptographic hash functions is specified in [FIPS-202], and the padding scheme for KMAC is specified in [SP-800-185]. An HMAC-SHA3 or KMAC implementation conformant to those documents is sufficient; no additional padding is required to use these algorithms in IKEv2 or IPsec. When KMAC or HMAC-SHA3 are used as the PRF for an IKE SA, the size of the key input K is variable. HMAC and KMAC both permit use of variable key sizes, but handle these keys differently. Salter, et al. Expires 7 April 2025 [Page 7] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 6.1. HMAC Key Padding When HMAC is invoked, unless K is the same as the input block size for the cryptographic hash function being used, K is padded or compressed to match that block size. The "rate" of a sponge function is the number of input bits processed or output bits generated per invocation of that function, and serves as the input block size for HMAC. The rates, and hence input block sizes, for each SHA-3 cryptographic hash function when used with HMAC are described in [FIPS-202] and repeated below. +================+==============+ | Algorithm Name | Rate (bytes) | +================+==============+ | SHA3-256 | 136 | +----------------+--------------+ | SHA3-384 | 104 | +----------------+--------------+ | SHA3-512 | 72 | +----------------+--------------+ Table 1: SHA-3 rate values * Keys that match the rate of the relevant SHA-3 cryptographic hash function are used as-is. * Keys that are shorter than the rate are right-padded up to the rate of the hash function using zero bits. Note that this is required for the majority of keys used with HMAC-SHA3 in IKEv2 or IPsec. * Keys that are longer than the rate are hashed using the relevant SHA-3 cryptographic hash function. The resulting digest is then right-padded up to the rate of the hash function using zero bits. The padding described above is that required by [RFC2104]. Any HMAC implementation conformant with that RFC is suitable for use in IKEv2 and IPsec, no protocol-specific additional padding of keys is required. 6.2. KMAC Key Padding Unlike HMAC, if the size of a KMAC key is greater than the recommended key size, the key is used in its entirety without any kind of shortening or truncation. As described in [SP-800-185], keys are always padded up to a multiple of the rate of the underlying Keccak sponge function; that is, 168 bytes and 136 bytes for KMAC-128 and KMAC-256 respectively. Any KMAC implementation conformant with Salter, et al. Expires 7 April 2025 [Page 8] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 [SP-800-185] is suitable for use in IKEv2 and IPsec, no protocol- specific additional padding of keys is required. 7. Parameters and security strengths for SHA-3 algorithms Table 2 describes the general properties of the SHA-3 algorithms, with the SHA-2 algorithms also listed for comparison purposes. The maximum security strengths listed are taken from [SP-800-57]. Note that these are maximum security strengths. Using keys that are shorter than the maximum security strength will constrain the maximum security strength of the chosen algorithm to be no higher than the length of that key. Keys that contain insufficient entropy to meet the maximum security strength constrain the maximum security of the chosen algorithm to be no higher than the bits of entropy represented in the key. +================+======================+==================+ | Algorithm Name | Output Length (bits) | Maximum Security | | | | Strength (bits) | +================+======================+==================+ | HMAC-SHA-256 | 256 | >=256 | +----------------+----------------------+------------------+ | HMAC-SHA-384 | 384 | >=256 | +----------------+----------------------+------------------+ | HMAC-SHA-512 | 512 | >=256 | +----------------+----------------------+------------------+ | HMAC-SHA3-256 | 256 | >=256 | +----------------+----------------------+------------------+ | HMAC-SHA3-384 | 384 | >=256 | +----------------+----------------------+------------------+ | HMAC-SHA3-512 | 512 | >=256 | +----------------+----------------------+------------------+ | KMAC128 | Variable | 128 | +----------------+----------------------+------------------+ | KMAC256 | Variable | >=256 | +----------------+----------------------+------------------+ Table 2: SHA-3 output length and security strength values Table 3 describes the parameters of the SHA-3 algorithms as used as a PRF in IKEv2, with the SHA-2 algorithms also listed for comparison purposes. Salter, et al. Expires 7 April 2025 [Page 9] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 +===============+===================+===========+===================+ | Algorithm | PRF variant | Preferred | Output Length | | Name | | Key Size | (bits) | | | | (bits) | | +===============+===================+===========+===================+ | HMAC-SHA-256 | PRF_HMAC_SHA2_256 | 256 | 256 | +---------------+-------------------+-----------+-------------------+ | HMAC-SHA-384 | PRF_HMAC_SHA2_384 | 384 | 384 | +---------------+-------------------+-----------+-------------------+ | HMAC-SHA-512 | PRF_HMAC_SHA2_512 | 512 | 512 | +---------------+-------------------+-----------+-------------------+ | HMAC-SHA3-256 | PRF_HMAC_SHA3_256 | 256 | 256 | +---------------+-------------------+-----------+-------------------+ | HMAC-SHA3-384 | PRF_HMAC_SHA3_384 | 384 | 384 | +---------------+-------------------+-----------+-------------------+ | HMAC-SHA3-512 | PRF_HMAC_SHA3_512 | 512 | 512 | +---------------+-------------------+-----------+-------------------+ | KMAC128 | PRF_KMAC_128 | 128 | 256, or length | | | | | of output | | | | | required for | | | | | prf+ | +---------------+-------------------+-----------+-------------------+ | KMAC256 | PRF_KMAC_256 | 256 | 512, or length | | | | | of output | | | | | required for | | | | | prf+ | +---------------+-------------------+-----------+-------------------+ Table 3: SHA-3 preferred key sizes and output lengths for use as a PRF Like their SHA-2 equivalents, the output of HMAC-SHA3 algorithms used in IKEv2 is used in its entirety without truncation. The security strength of these algorithms is the same as the maximum security strength for that algorithm, unless the entropy in the supplied key is insufficient to meet that strength. When key material is extracted from IKEv2's prf+ KDF for use with SHA-3 in IKEv2, the length of keys extracted MUST conform to the preferred key sizes listed in Table 3. EDNOTE: The KMAC output lengths have been aligned with HMAC, but if we're not depending on collision resistance, it seems like they could be reduced to 128/256 bits respectively? That would also mean that the PRF output would be suitable for use as a PRF key without requiring further modification, like HMAC. Salter, et al. Expires 7 April 2025 [Page 10] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 Table 4 describes the parameters of the SHA-3 algorithms as used for authentication and integrity protection in IKEv2 and IPsec, with the SHA-2 algorithms also listed for comparison purposes. +===============+========================+==========+===============+ | Algorithm | Integrity variant | Key Size | Output | | Name | | (bits) | Length | | | | | (bits) | +===============+========================+==========+===============+ | HMAC-SHA-256 | AUTH_HMAC_SHA2_256_128 | 256 | 128 | +---------------+------------------------+----------+---------------+ | HMAC-SHA-384 | AUTH_HMAC_SHA2_384_192 | 384 | 192 | +---------------+------------------------+----------+---------------+ | HMAC-SHA-512 | AUTH_HMAC_SHA2_512_256 | 512 | 256 | +---------------+------------------------+----------+---------------+ | HMAC-SHA3-256 | AUTH_HMAC_SHA3_256_128 | 256 | 128 | +---------------+------------------------+----------+---------------+ | HMAC-SHA3-384 | AUTH_HMAC_SHA3_384_192 | 384 | 192 | +---------------+------------------------+----------+---------------+ | HMAC-SHA3-512 | AUTH_HMAC_SHA3_512_256 | 512 | 256 | +---------------+------------------------+----------+---------------+ | KMAC128 | AUTH_KMAC_128 | 128 | 128 | +---------------+------------------------+----------+---------------+ | KMAC256 | AUTH_KMAC_256 | 256 | 256 | +---------------+------------------------+----------+---------------+ Table 4: SHA-3 preferred key sizes and output lengths for use as an Integrity Algorithm Transform When used for authentication and integrity protection, HMAC-SHA3 message authentication codes are truncated, and KMAC message authentication codes are produced using a smaller value for the "requested output length" parameter L. In this case, the security strength of each given algorithm is constrained by its output length. When key material is extracted from IKEv2's prf+ KDF for use with SHA-3 for authentication and integrity protection in IKEv2 or IPsec, the length of keys extracted MUST conform to the key sizes listed in Table 4. 8. SHA-3 as a PRF in IKEv2 Salter, et al. Expires 7 April 2025 [Page 11] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 8.1. Overview IKEv2 Security Associations (SAs) make use of a PRF for authentication purposes, and as a part of the prf+ Key Derivation Function (KDF). HMAC-SHA3 and KMAC can both act as the PRF for an IKE SA, but KMAC is treated slightly differently to other PRFs as it is capable of producing different output lengths depending on the context in which it's used. For both HMAC-SHA3 and KMAC, key K is either a fixed length key (such as SK_d) that is the same size as the output produced by that SHA-3 algorithm, or the length of K is dependent on other factors. For example, when used with the IKE SA keys SK_d, SK_pi or SK_pr, these keys are always 256 bits in length when the IKE SA's PRF is HMAC- SHA3-256. When the PRF is used with nonce inputs as the key K (e.g. when generating SKEYSEED), or when the PRF is used with a pre-shared key as the HMAC key K, the length of the key K depends on implementation-specific details, user configuration options, etc. 8.2. HMAC-SHA3 When used as a PRF in IKEv2, the full output of each HMAC-SHA3 algorithm is used, rather than the truncated variants described below for integrity protection in IPsec. Since the output length of HMAC is fixed, prf+ is used as described in [RFC7296]. 8.3. KMAC A notable difference to HMAC is that when KMAC is used as the PRF for an IKE SA, its "requested output length" parameter L and "customization string" parameter S are populated differently depending on whether KMAC is being used as a part of the prf+ KDF or not. The context string S is also populated differently depending on whether KMAC is used in prf+ or not. This process is described in more detail below. EDNOTE: The customization string differences aren't strictly necessary and may make implementation a bit harder, but they seem valuable in that we're placing a clear divide between two places with different rules on how KMAC is used. 8.3.1. KMAC as a PRF When used in IKEv2, KMAC's output length L is 128 for KMAC-128, and 256 for KMAC-256. That is, the output length is the same size as the security strength and preferred key size of the given KMAC algorithm. The only exception to this is when KMAC is used in prf+, as described below. Salter, et al. Expires 7 April 2025 [Page 12] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 When KMAC is used outside the context of prf+, the customization string S is set to the ASCII character string "ikev2 prf", without null termination. 8.3.2. KMAC in prf+ When KMAC is used in prf+, L is set to the length of the keying material required. That is, prf (K, S | 0x01) is the only step of the prf+ function that is ever required, as KMAC can produce a pseudorandom stream without the need to iteratively call prf as described in [RFC7296]. EDNOTE: the intent here is to keep prf+ (sort of) the same for KMAC, it's just that only one iteration is ever needed. Would this actually be more annoying from an implementer's point of view than just replacing prf+, though? The extra 0x01 is easy to forget if you simply redirect prf+ calls to KMAC instead. When KMAC is used in prf+, the customization string S is set to the ASCII character string "ikev2 kdf", without null termination. 9. SHA-3 for authentication and integrity protection in ESP, AH and IKEv2 IPsec SAs can make use of an integrity protection algorithm to provide data origin authentication and integrity protection services. KMAC and HMAC-SHA3 can be used to provide these services. As described in [RFC8221], Authenticated Encryption with Associated Data (AEAD) ciphers are the fastest and most modern approach to providing these services in conjunction with confidentiality protection. KMAC and HMAC-SHA3 MUST NOT be negotiated in IKEv2 in conjunction with an AEAD cipher. HMAC-SHA3 and KMAC MAY be used as an integrity protection algorithm with: * ESP in conjunction with a non-AEAD cipher * ESP and null encryption (ENCR_NULL) * IKEv2 in conjunction with a non-AEAD cipher * AH EDNOTE: You really should use ENCR-NULL over AH here. RFC 8221 recommends use of ENCR_NULL over AH - would it be worth reiterating that here? Salter, et al. Expires 7 April 2025 [Page 13] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 9.1. HMAC-SHA3 When HMAC-SHA3 is used for authentication and integrity protection in ESP, AH, and IKEv2, the HMAC key K is 256 bits in length for HMAC- SHA3-256, 384 bits in length for HMAC-SHA3-384, and 512 bits in length for HMAC-SHA3-512. The output string Z of HMAC is truncated such that the output length is halved. As described in [RFC2104], the left-most bits are retained, and the right-most bits are discarded. The output string is truncated for the same reasons described in [RFC4868] for HMAC- SHA2. Truncating the output of HMAC reduces the size expansion created by integrity protection offered by ESP and AH, and reduces the size of IKE messages. The output length is halved to match the birthday attack bound for HMAC. 9.2. KMAC When using KMAC, the L input parameter is always set to the same value as the key size and security strength of the chosen KMAC algorithm. That is, the output length of KMAC128 is always set to 128 bits, and the output length of KMAC256 is always set to 256 bits. When used with ESP or AH, the "customization string" parameter S is set to the ASCII character string "ipsec", without null termination. When used with IKEv2 for authentication and integrity protection, the "customization string" parameter S is set to the ASCII character string "ikev2 auth", without null termination. EDNOTE: Again, the customization string differences probably aren't strictly necessary, but placing IPsec and IKEv2 integrity/prf/prf+ into different domains seems like a good thing to do. 10. SHAKE and SHA-3 in IKEv2 SHAKE and the SHA-3 cryptographic hash functions can generate digests for use with signature algorithms. For instance, [RFC8692] specifies algorithm identifiers for using RSASSA-PSS and ECDSA with SHAKE, and NIST have assigned OIDs for using RSA PKCS #1 v1.5 signatures with SHA-3 [NISTOIDS]. Salter, et al. Expires 7 April 2025 [Page 14] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 [RFC7427] specifies the "Digital Signature" (14) authentication method, that allows IKEv2 to support any signature algorithm without the need to specify an authentication method for every new combination of signature algorithm and hash function. The Digital Signature authentication method is the only way to utilise SHA-3 with signatures in IKEv2, so if a peer uses SHA-3 in this context, it MUST specify the Digital Signature authentication method in its corresponding AUTH payload. The Digital Signature authentication method specifies use of a SIGNATURE_HASH_ALGORITHMS notification by each IKE peer to announce the hash functions it supports for use with signatures. This specification defines values for announcing support for SHA-3 algorithms in the SIGNATURE_HASH_ALGORITHMS notification. When an IKEv2 implementation supports SHA-3 in this context, and local policy permits use of SHA-3 to generate or verify signatures, it MUST include the corresponding values in its SIGNATURE_HASH_ALGORITHMS notification. 11. Security Considerations SHA-3 and SHA-2 are both believed to be secure at time of writing. Views on the security of cryptographic algorithms evolves over time, so implementers should pay attention to IETF RFCs reporting on recommendations for use of cryptographic algorithms in IKEv2 and IPsec, such as any documents that update [RFC8221] and [RFC8247]. Quantum computing has a significant impact on the security of all IETF security protocols, as a cryptographically-relevant quantum computer (CRQC) could use Shor's algorithm to break many traditional asymmetric cryptographic algorithms. A CRQC can also attack hash functions, including SHA-3 and SHA-2, using Grover's algorithm. However, the impact of Grover's algorithm is less dramatic than the impact of Shor's Algorithm. The worst-case impact of Grover's algorithm is a reduction in security strength by a factor of two; using algorithms with a greater maximum security strength is sufficient to mitigate this. Grover's algorithm is likely to be difficult to parallelise, so the security reduction for SHA-3 and SHA-2 created by Grover's algorithm may be smaller in practice. See [GROVER] for a discussion on the practical cost of using Grover's algorithm to recover AES keys. EDNOTE: More references would be helpful here, especially if they relate to hash functions specifically. The security properties offered by both HMAC-SHA3 and KMAC depend on limiting access to the keys used with those algorithms. Since both algorithms depend on a symmetric key, the key must be known by at Salter, et al. Expires 7 April 2025 [Page 15] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 least two parties in order to be useful. Sharing the key beyond two parties may erode the security offered by these algorithms. In the case of IKEv2 and IPsec, this typically means that access to keys must be limited to the peers participating in the security association that uses those keys. IKEv2 can be used to enforce this for IPsec SAs and most keys used in IKE SAs, but pre-shared keys are a notable exception here. Providing more than two peers with access to a single pre-shared key may undermine the security offered by that pre-shared key, and hence the security offered by HMAC or KMAC. When IKEv2 is used to create IPsec SAs, the keys for HMAC-SHA3 and KMAC are all ultimately derived from an ephemeral shared secret produced using one or more negotiated key exchange algorithms, with the exception of static pre-shared keys used in IKE for authentication and/or protection against quantum computers. If the negotiated key exchange algorithm offers few bits of security than the negotiated PRF, this effectively caps the bits of security offered by the PRF as well. Negotiating a key exchange algorithm that offers more bits of security than the negotiated PRF does not improve the security offered by that PRF. Similarly, using an encryption algorithm whose security level does not align to the negotiated PRF will undermine the security offered by either the encryption algorithm or the PRF. As such, it is important to ensure that IKE peers configure algorithm policies such that every algorithm negotiated always meets an acceptable minimum security level. Where static keys are used with HMAC-SHA3 and KMAC, these MUST contain at least as much entropy as the security level of the chosen algorithm, and SHOULD be generated using a random number generator capable suitable for use with cryptography. 12. IANA Considerations For negotiating use of HMAC-SHA3 and KMAC as PRFs for IKEv2, IANA is requested to assign five Transform IDs in the "Transform Type 2 - Pseudorandom Function Transform IDs" registry: Salter, et al. Expires 7 April 2025 [Page 16] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 +========+===================+========+==============+ | Number | Name | Status | Reference | +========+===================+========+==============+ | TBD | PRF_HMAC_SHA3_256 | | [This draft] | +--------+-------------------+--------+--------------+ | TBD | PRF_HMAC_SHA3_384 | | [This draft] | +--------+-------------------+--------+--------------+ | TBD | PRF_HMAC_SHA3_512 | | [This draft] | +--------+-------------------+--------+--------------+ | TBD | PRF_KMAC_128 | | [This draft] | +--------+-------------------+--------+--------------+ | TBD | PRF_KMAC_256 | | [This draft] | +--------+-------------------+--------+--------------+ Table 5: SHA-3 PRF Transform IDs For negotiating use of HMAC-SHA3 and KMAC for integrity protection in IKEv2 and IPsec protocols, IANA is requested to assign five Transform IDs in the "Transform Type 3 - Integrity Algorithm Transform IDs" registry: +========+========================+========+==============+ | Number | Name | Status | Reference | +========+========================+========+==============+ | TBD | AUTH_HMAC_SHA3_256_128 | | [This draft] | +--------+------------------------+--------+--------------+ | TBD | AUTH_HMAC_SHA3_384_192 | | [This draft] | +--------+------------------------+--------+--------------+ | TBD | AUTH_HMAC_SHA3_512_256 | | [This draft] | +--------+------------------------+--------+--------------+ | TBD | AUTH_KMAC_128 | | [This draft] | +--------+------------------------+--------+--------------+ | TBD | AUTH_KMAC_256 | | [This draft] | +--------+------------------------+--------+--------------+ Table 6: SHA-3 Integrity Algorithm Transform IDs For indicating support for the SHA-3 cryptographic hash functions and SHAKE XOFs in conjunction with a signature algorithm, IANA is requested to assign six Transform IDs in the "IKEv2 Hash Algorithms" registry: Salter, et al. Expires 7 April 2025 [Page 17] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 +=======+================+==============+ | Value | Hash Algorithm | Reference | +=======+================+==============+ | TBD | SHA3_224 | [This draft] | +-------+----------------+--------------+ | TBD | SHA3_256 | [This draft] | +-------+----------------+--------------+ | TBD | SHA3_384 | [This draft] | +-------+----------------+--------------+ | TBD | SHA3_512 | [This draft] | +-------+----------------+--------------+ | TBD | SHAKE_128 | [This draft] | +-------+----------------+--------------+ | TBD | SHAKE_256 | [This draft] | +-------+----------------+--------------+ Table 7: SHA-3 Hash Algorithm IDs 13. References 13.1. Normative References [FIPS-202] "SHA-3 standard :: permutation-based hash and extendable- output functions", National Institute of Standards and Technology (U.S.), DOI 10.6028/nist.fips.202, 2015, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. Kivinen, "Internet Key Exchange Protocol Version 2 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 2014, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [SP-800-185] Kelsey, J., Change, S., and R. Perlner, "SHA-3 derived functions: cSHAKE, KMAC, TupleHash and ParallelHash", National Institute of Standards and Technology, DOI 10.6028/nist.sp.800-185, December 2016, . Salter, et al. Expires 7 April 2025 [Page 18] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 13.2. Informative References [FALCON] Foque, P.-A., Hoffstein, J., Kirchner, P., Lyubashevsky, V., Pornin, T., Prest, T., Ricosset, T., Seiler, G., Whyte, W., and Z. Zhang, "Falcon: Fast-Fourier Lattice- based Compact Signatures over NTRU", 2020, . [GROVER] UK National Cyber Security Centre, "On the practical cost of Grover for AES key recovery", 2024, . [ML-DSA] "Module-Lattice-Based Digital Signature Standard", National Institute of Standards and Technology, DOI 10.6028/nist.fips.204, August 2024, . [ML-KEM] "Module-Lattice-Based Key-Encapsulation Mechanism Standard", National Institute of Standards and Technology, DOI 10.6028/nist.fips.203, August 2024, . [NISTOIDS] National Institute of Standards and Technology, "Computer Security Objects Register", 2024, . [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- Hashing for Message Authentication", RFC 2104, DOI 10.17487/RFC2104, February 1997, . [RFC4868] Kelly, S. and S. Frankel, "Using HMAC-SHA-256, HMAC-SHA- 384, and HMAC-SHA-512 with IPsec", RFC 4868, DOI 10.17487/RFC4868, May 2007, . [RFC7427] Kivinen, T. and J. Snyder, "Signature Authentication in the Internet Key Exchange Version 2 (IKEv2)", RFC 7427, DOI 10.17487/RFC7427, January 2015, . Salter, et al. Expires 7 April 2025 [Page 19] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 [RFC8221] Wouters, P., Migault, D., Mattsson, J., Nir, Y., and T. Kivinen, "Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH)", RFC 8221, DOI 10.17487/RFC8221, October 2017, . [RFC8247] Nir, Y., Kivinen, T., Wouters, P., and D. Migault, "Algorithm Implementation Requirements and Usage Guidance for the Internet Key Exchange Protocol Version 2 (IKEv2)", RFC 8247, DOI 10.17487/RFC8247, September 2017, . [RFC8692] Kampanakis, P. and Q. Dang, "Internet X.509 Public Key Infrastructure: Additional Algorithm Identifiers for RSASSA-PSS and ECDSA Using SHAKEs", RFC 8692, DOI 10.17487/RFC8692, December 2019, . [SLH-DSA] "Stateless Hash-Based Digital Signature Standard", National Institute of Standards and Technology, DOI 10.6028/nist.fips.205, August 2024, . [SP-800-57] Barker, E., "Recommendation for key management:: part 1 - general", National Institute of Standards and Technology, DOI 10.6028/nist.sp.800-57pt1r5, May 2020, . Appendix A. Test Vectors The following test cases include inputs and outputs for scenarios where HMAC-SHA3 and KMAC are used in IKEv2 and IPsec. A key, input, and output are always supplied, these correspond to the K, X and Z parameters described in Section 4. For KMAC, a customization string input is also supplied, which corresponds to the L parameter. Note that in each context, the customization string is fixed. All inputs and outputs are encoded in hexadecimal. KMAC Customization strings also have an ASCII character string representation. Data supplied to KMAC does not include quotation marks or null terminators. Salter, et al. Expires 7 April 2025 [Page 20] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 In some cases a description is supplied, which describes the case being tested in more detail. These descriptions are test vector metada, and are not ever supplied to the relevant algorithm. A.1. PRF Test Vectors These test cases correspond to use of HMAC-SHA3 or KMAC as the PRF transform for an IKEv2 SA. A.1.1. HMAC-SHA3-256 PRF Test Vectors Salter, et al. Expires 7 April 2025 [Page 21] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 ~~ Test Case HMAC-SHA3-256-PRF-1 ~~ Description: Preferred key size Key (hex): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Output (hex): 10ae5299b538c806177afcfbd50a78cca7869b183d0f405af0fb4ffbec65ffc9 ~~ Test Case HMAC-SHA3-256-PRF-2 ~~ Description: Smaller key size Key (hex): 000102030405060708090a0b0c0d0e0f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Output (hex): 30bf304d335b068b999b3c8053583921f98bd603661ce68d9bb481702656f3a8 ~~ Test Case HMAC-SHA3-256-PRF-3 ~~ Description: Larger key size Key (hex): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 202122232425262728292a2b2c2d2e2f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Output (hex): 9cc1974f3329ec6ae380e16b5df6068e2c954652a06e359aada1def787d9e298 A.1.2. HMAC-SHA3-384 PRF Test Vectors Salter, et al. Expires 7 April 2025 [Page 22] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 ~~ Test Case HMAC-SHA3-384-PRF-1 ~~ Description: Preferred key size Key (hex): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 202122232425262728292a2b2c2d2e2f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Output (hex): c412ca3549716fafa30b7cc1f8333ec80875f7f42b1bd02e2467b01baf24bab5 37e030688caebcf14c2db2523e16bfc2 ~~ Test Case HMAC-SHA3-384-PRF-2 ~~ Description: Smaller key size Key (hex): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Output (hex): beab6eed7c624690e25b84b66616192178fa06607e6971c4068d25df5944b6bc 21d374875260c9dedbc36914763da390 ~~ Test Case HMAC-SHA3-384-PRF-3 ~~ Description: Larger key size Key (hex): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Output (hex): 39719a89ebd05084f39e67c2ab349b8283198b30da01b30ea532bf6c3beee012 c148a0feff45ff4a243f664311beecca Salter, et al. Expires 7 April 2025 [Page 23] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 A.1.3. HMAC-SHA3-512 PRF Test Vectors ~~ Test Case HMAC-SHA3-512-PRF-1 ~~ Description: Preferred key size Key (hex): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Output (hex): dd3900c31efb5ca7f8cc457a2343c09177c76c81f0650e026d72e50878d70b70 c2b3330e0d72c2dccccad98bf39d8a2283d9c6c3ec05edee08d9b6702745b103 ~~ Test Case HMAC-SHA3-512-PRF-2 ~~ Description: Smaller key size Key (hex): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 202122232425262728292a2b2c2d2e2f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Output (hex): d31020b9deed7f237dacb5963c21d6a2fbd1f34497ad0a2ddef2aa0339e8f238 d8b5d56a53be7ac1612352c98a3905851bcb2c3a681ba273e15deff307710fe1 ~~ Test Case HMAC-SHA3-512-PRF-3 ~~ Description: Larger key size Key (hex): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f 404142434445464748494a4b4c4d4e4f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Output (hex): Salter, et al. Expires 7 April 2025 [Page 24] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 5f08ded1ad2757d9ebf55a3b05276edeb1d25db8a280c01f3e631eaa2c9d15b9 99f0c0aa60178bcd26df3d9da9b65a823564a7c34e096140a769e15bc47d5c30 A.1.4. KMAC128 PRF Test Vectors ~~ Test Case KMAC128-PRF-1 ~~ Description: Preferred key size Key (hex): 000102030405060708090a0b0c0d0e0f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Customization String (string): "ikev2 prf" Customization String (hex): 696b65763220707266 Output (hex): 942d56a4597c0d104497dc1c62be940a70198b32bfde8e2a5f57f55ec3fe5cef ~~ Test Case KMAC128-PRF-2 ~~ Description: Smaller key size Key (hex): 0001020304050607 Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Customization String (string): "ikev2 prf" Customization String (hex): 696b65763220707266 Output (hex): b050dd45ec09370cd2fe4b7c2a009618c5a426e81a4f11f6c538cf17027dbee3 ~~ Test Case KMAC128-PRF-3 ~~ Description: Salter, et al. Expires 7 April 2025 [Page 25] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 Larger key size Key (hex): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Customization String (string): "ikev2 prf" Customization String (hex): 696b65763220707266 Output (hex): 3a8d2a5ead5cd4db448b76a241b078fb444e1faf36eef8e195e275778a169b5f A.1.5. KMAC256 PRF Test Vectors ~~ Test Case KMAC256-PRF-1 ~~ Description: Preferred key size Key (hex): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Customization String (string): "ikev2 prf" Customization String (hex): 696b65763220707266 Output (hex): 3a8d2a5ead5cd4db448b76a241b078fb444e1faf36eef8e195e275778a169b5f ~~ Test Case KMAC256-PRF-2 ~~ Description: Smaller key size Key (hex): 000102030405060708090a0b0c0d0e0f Input (hex): Salter, et al. Expires 7 April 2025 [Page 26] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Customization String (string): "ikev2 prf" Customization String (hex): 696b65763220707266 Output (hex): 942d56a4597c0d104497dc1c62be940a70198b32bfde8e2a5f57f55ec3fe5cef ~~ Test Case KMAC256-PRF-3 ~~ Description: Larger key size Key (hex): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 202122232425262728292a2b2c2d2e2f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Customization String (string): "ikev2 prf" Customization String (hex): 696b65763220707266 Output (hex): beff64f08357a691290c7f67f6344a485941edd6d923bc554f8e4655702b090f A.2. KDF Test Vectors These test cases correspond to use of HMAC-SHA3 or KMAC with IKEv2's prf+ function. A.2.1. HMAC-SHA3-256 KDF Test Vectors ~~ Test Case HMAC-SHA3-256-KDF-1 ~~ Description: IKEv2 KDF request single PRF output Key (hex): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f Input (hex): Salter, et al. Expires 7 April 2025 [Page 27] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Number of output bits requested (integer): 256 Output (hex): 6aefdb97d1645cafec3590cd8a35366e67a7887b153c042b4eb609cc60391f97 ~~ Test Case HMAC-SHA3-256-KDF-2 ~~ Description: IKEv2 KDF request multiple PRF output Key (hex): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Number of output bits requested (integer): 512 Output (hex): 6aefdb97d1645cafec3590cd8a35366e67a7887b153c042b4eb609cc60391f97 d43335b5856ed1f2dd67c2c35853069ce7ae354df11b90b7dfea743890cf281a ~~ Test Case HMAC-SHA3-256-KDF-3 ~~ Description: IKE SA key material ENCR=AES-128-GCM PRF=HMAC-SHA3-256 SK_d = 256 bits SK_a[i|r] = nil SK_e[i|r] = 160*2 bits SK_p[i|r] = 256*2 bits Key (hex): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 dfdedddcdbdad9d8d7d6d5d4d3d2d1d0 Number of output bits requested (integer): 1088 Output (hex): Salter, et al. Expires 7 April 2025 [Page 28] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 553bc362cfd6286855545b1222ee5d6e2946930c584951d2aa047f14318de527 9c58cf057348463823a445a82106b16de3e9c9db06602ede34f1bbe4910e042d ddddc5cc48a13ce8716b99d6522e03ee765f0549f1985f7e8c96e91246295b0b 0a9bdb6039e47f880d4d690ff6cd95376353f03635812f93ab417b8388d94f57 b9b731b554b0a269 ~~ Test Case HMAC-SHA3-256-KDF-4 ~~ Description: IKE SA key material ENCR=AES-256-CBC INTEG=HMAC-SHA3-256 PRF=HMAC-SHA3-256 SK_d = 256 bits SK_a[i|r] = 256*2 bits SK_e[i|r] = 256*2 bits SK_p[i|r] = 256*2 bits Key (hex): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 dfdedddcdbdad9d8d7d6d5d4d3d2d1d0 Number of output bits requested (integer): 1792 Output (hex): 553bc362cfd6286855545b1222ee5d6e2946930c584951d2aa047f14318de527 9c58cf057348463823a445a82106b16de3e9c9db06602ede34f1bbe4910e042d ddddc5cc48a13ce8716b99d6522e03ee765f0549f1985f7e8c96e91246295b0b 0a9bdb6039e47f880d4d690ff6cd95376353f03635812f93ab417b8388d94f57 b9b731b554b0a269264abec3d7cbb3f43cb94c2b0bcaa9133358633ddbd4fe72 517b1de586599c5451b596953fc71ace7c4f6431f980327e21b02cb3298ec154 b526a14e5e6461fea32829d9de1c40a8c9d919e0b8e0d2132d663507d764ce32 ~~ Test Case HMAC-SHA3-256-KDF-5 ~~ Description: ESP key material ENCR=AES-256-CBC INTEG=HMAC-SHA3-256 KEYMAT=(256*2) + (256*2) bits Key (hex): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f Salter, et al. Expires 7 April 2025 [Page 29] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Number of output bits requested (integer): 1024 Output (hex): 6aefdb97d1645cafec3590cd8a35366e67a7887b153c042b4eb609cc60391f97 d43335b5856ed1f2dd67c2c35853069ce7ae354df11b90b7dfea743890cf281a 010bbf134b8f2d7d12c8eafbb0d4be0f8d0971357ea4e179b50e0d4316b56e80 51da1fd2be02168550150d40e6a36a3fbacdf9d639c1b00cdc58cb9af11dab7c A.2.2. HMAC-SHA3-384 KDF Test Vectors ~~ Test Case HMAC-SHA3-384-KDF-1 ~~ Description: IKEv2 KDF request single PRF output Key (hex): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 202122232425262728292a2b2c2d2e2f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Number of output bits requested (integer): 384 Output (hex): 2c41a30906e2809b86e9cd75fdf055a46534664e49b0979ff067508d522f441f cf47d15477119ba2e9b9e85399bff5d4 ~~ Test Case HMAC-SHA3-384-KDF-2 ~~ Description: IKEv2 KDF request multiple PRF output Key (hex): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 202122232425262728292a2b2c2d2e2f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Number of output bits requested (integer): 768 Salter, et al. Expires 7 April 2025 [Page 30] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 Output (hex): 2c41a30906e2809b86e9cd75fdf055a46534664e49b0979ff067508d522f441f cf47d15477119ba2e9b9e85399bff5d4a1d827ea5b485abf569b2e83585e720e b7d7c50c4c90eadd1d9aeeaaf6921eae1f64d40a4efa56ef2cb02c1fe5d6b440 ~~ Test Case HMAC-SHA3-384-KDF-3 ~~ Description: IKE SA key material ENCR=AES-128-GCM PRF=HMAC-SHA3-384 SK_d = 384 bits SK_a[i|r] = nil SK_e[i|r] = 160*2 bits SK_p[i|r] = 384*2 bits Key (hex): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 202122232425262728292a2b2c2d2e2f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 dfdedddcdbdad9d8d7d6d5d4d3d2d1d0 Number of output bits requested (integer): 1472 Output (hex): 73c5fc441670ce4766b1cbe9e17e1bd18e50903efcd49359c46cbb21da80c833 fe1a29789e0995c9fa58cd0759d3fb1765119115c72dad463a1d8b736b94dbd4 c1b6b31c40972eee5752ec22b12d4b42e8102358c7f7025313654ff909b4b87d 7357dfbbfaf2e2baf2d89e6575a9140484e8ef3681986bfe255a3bf5a1233a24 145336b7e192c9316967d809b14b1bc5986765010aa945c727ec4e3d63ec88dd 116994b90ffb2afd60e4c22ee85705aa1b57f50f878c21f3 ~~ Test Case HMAC-SHA3-384-KDF-4 ~~ Description: IKE SA key material ENCR=AES-256-CBC INTEG=HMAC-SHA3-384 PRF=HMAC-SHA3-384 SK_d = 384 bits SK_a[i|r] = 384*2 bits SK_e[i|r] = 256*2 bits SK_p[i|r] = 384*2 bits Key (hex): Salter, et al. Expires 7 April 2025 [Page 31] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 202122232425262728292a2b2c2d2e2f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 dfdedddcdbdad9d8d7d6d5d4d3d2d1d0 Number of output bits requested (integer): 2432 Output (hex): 73c5fc441670ce4766b1cbe9e17e1bd18e50903efcd49359c46cbb21da80c833 fe1a29789e0995c9fa58cd0759d3fb1765119115c72dad463a1d8b736b94dbd4 c1b6b31c40972eee5752ec22b12d4b42e8102358c7f7025313654ff909b4b87d 7357dfbbfaf2e2baf2d89e6575a9140484e8ef3681986bfe255a3bf5a1233a24 145336b7e192c9316967d809b14b1bc5986765010aa945c727ec4e3d63ec88dd 116994b90ffb2afd60e4c22ee85705aa1b57f50f878c21f397ecf391e856e338 6969f3f0e74d09534e9bdbbc752eaad53b2c4aba329ef06036d55ff0c9885cb9 ac6e9ff4057c9f4f591103ad4cb04894d1193a9ad434407c54b285acc3576298 7ce8a0aca60afea4f9879f62085be44e638543ee66c41c8d5db02f2ae08b4d0b b3b906c5c568e718921a205a02a8356f ~~ Test Case HMAC-SHA3-384-KDF-5 ~~ Description: ESP key material ENCR=AES-256-CBC INTEG=HMAC-SHA3-384 KEYMAT=(256*2) + (384*2) bits Key (hex): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 202122232425262728292a2b2c2d2e2f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Number of output bits requested (integer): 1280 Output (hex): 2c41a30906e2809b86e9cd75fdf055a46534664e49b0979ff067508d522f441f cf47d15477119ba2e9b9e85399bff5d4a1d827ea5b485abf569b2e83585e720e b7d7c50c4c90eadd1d9aeeaaf6921eae1f64d40a4efa56ef2cb02c1fe5d6b440 a2970d7be7d4b61a8b1fdde0850eac6848cfd46a28e3206465fce4cd030a7a8a 8398671e9b9b41dfd7eee81e37f4303f8055cb3ef2dae1b3723a49eda4c83077 Salter, et al. Expires 7 April 2025 [Page 32] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 A.2.3. HMAC-SHA3-512 KDF Test Vectors ~~ Test Case HMAC-SHA3-512-KDF-1 ~~ Description: IKEv2 KDF request single PRF output Key (hex): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Number of output bits requested (integer): 512 Output (hex): 399c608d085a547c072ace5dfd9881791178026f318e695b7c6b3dec968e24be 3a55003dd481ddf021d762beb3736747f1af27abb432e489f545400968b2150a ~~ Test Case HMAC-SHA3-512-KDF-2 ~~ Description: IKEv2 KDF request multiple PRF output Key (hex): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Number of output bits requested (integer): 1024 Output (hex): 399c608d085a547c072ace5dfd9881791178026f318e695b7c6b3dec968e24be 3a55003dd481ddf021d762beb3736747f1af27abb432e489f545400968b2150a 42af3f427186715cab4c97d47e3f7c25aa701030b51d74744c262aa2675d5d1f 27e35f99d4eeef1d07d19c9656c804b396b7f2761ea65a2653b4711340e2986f ~~ Test Case HMAC-SHA3-512-KDF-3 ~~ Description: IKE SA key material ENCR=AES-128-GCM PRF=HMAC-SHA3-512 Salter, et al. Expires 7 April 2025 [Page 33] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 SK_d = 512 bits SK_a[i|r] = nil SK_e[i|r] = 160*2 bits SK_p[i|r] = 512*2 bits Key (hex): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 dfdedddcdbdad9d8d7d6d5d4d3d2d1d0 Number of output bits requested (integer): 1856 Output (hex): 9c7d3c211a5ab9c7ac70c688aa44df6d213dcdc339a667d68766b9bf77591879 a60247a979b02edcdc7bd3a3584a4faf8ecd7d02a91671d8a51523e4d9425a5c 11e2cd1bfa8bf9d8a81bd63d4b16f897f768d7065ae2fa0392f30815c0010d9a 229953a8d7878d4ff5ddafb41303652d30a2e9eaa3578f1b735db7043a6ac1c8 cdeccaf15970c7c7279319944ccaf4607fab77280c982e653adf6bad77298877 7b7602e022a51a7358b7827059879b37bc8d86f1dc6f915aa1bfd0241bc5d2fe 2cacd8f8705a1a247a2b476f75d5c31753863140f7a48f13c7d935c6e21f5f49 b95f791cf7a4c2d5 ~~ Test Case HMAC-SHA3-512-KDF-4 ~~ Description: IKE SA key material ENCR=AES-256-CBC INTEG=HMAC-SHA3-512 PRF=HMAC-SHA3-512 SK_d = 512 bits SK_a[i|r] = 512*2 bits SK_e[i|r] = 256*2 bits SK_p[i|r] = 512*2 bits Key (hex): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 dfdedddcdbdad9d8d7d6d5d4d3d2d1d0 Number of output bits requested (integer): 3072 Salter, et al. Expires 7 April 2025 [Page 34] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 Output (hex): 9c7d3c211a5ab9c7ac70c688aa44df6d213dcdc339a667d68766b9bf77591879 a60247a979b02edcdc7bd3a3584a4faf8ecd7d02a91671d8a51523e4d9425a5c 11e2cd1bfa8bf9d8a81bd63d4b16f897f768d7065ae2fa0392f30815c0010d9a 229953a8d7878d4ff5ddafb41303652d30a2e9eaa3578f1b735db7043a6ac1c8 cdeccaf15970c7c7279319944ccaf4607fab77280c982e653adf6bad77298877 7b7602e022a51a7358b7827059879b37bc8d86f1dc6f915aa1bfd0241bc5d2fe 2cacd8f8705a1a247a2b476f75d5c31753863140f7a48f13c7d935c6e21f5f49 b95f791cf7a4c2d55f65eac34b24d6b7612f2c09f00e02a6dd99d1d5caf2632c 2a4f3d83570837cb9c31a7c4440950ca5afbc17f6f1b9123fb02da95ca37540c 6ea9ecdfe1f6662ead42a2d1f14dbe13c91e5d6dfd697e729eee26f86976e0b2 f2e844beb7134bca666fb9207a01e90fff02336f1656b57b86d0ab84545392a9 82cc5b3b3f52b2ddb28de585fa8c7cfafd18d8f66ac4394c8ec7db5364c494be ~~ Test Case HMAC-SHA3-512-KDF-5 ~~ Description: ESP key material ENCR=AES-256-CBC INTEG=HMAC-SHA3-512 KEYMAT=(256*2) + (512*2) bits Key (hex): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Number of output bits requested (integer): 1536 Output (hex): 399c608d085a547c072ace5dfd9881791178026f318e695b7c6b3dec968e24be 3a55003dd481ddf021d762beb3736747f1af27abb432e489f545400968b2150a 42af3f427186715cab4c97d47e3f7c25aa701030b51d74744c262aa2675d5d1f 27e35f99d4eeef1d07d19c9656c804b396b7f2761ea65a2653b4711340e2986f b500b7744b1c2cf5cfffef372b6c535c21897ee40b44589407936390ef44122d 7ed64063b04d9c0105b84220c9038379ffc861820e4c3ab9972a20ce31d6c468 A.2.4. KMAC128 KDF Test Vectors ~~ Test Case KMAC128-KDF-1 ~~ Description: IKEv2 KDF request single PRF output Key (hex): Salter, et al. Expires 7 April 2025 [Page 35] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 000102030405060708090a0b0c0d0e0f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Number of output bits requested (integer): 256 Customization String (string): "ikev2 kdf" Customization String (hex): 696b657632206b6466 Output (hex): 364f2231443775dcdd1879fd4aa54f1adadaf0ac58e90285c5d95d3e2bbbc216 ~~ Test Case KMAC128-KDF-2 ~~ Description: IKEv2 KDF request multiple PRF output Key (hex): 000102030405060708090a0b0c0d0e0f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Number of output bits requested (integer): 512 Customization String (string): "ikev2 kdf" Customization String (hex): 696b657632206b6466 Output (hex): 4603b8e26567ccbb4e0498bdbc96ccad685849371efc9c3f34ee681b88bd2dc0 95e2c5745769f73873e4787228bde59d73567fc81a865f2d14208355fbd0e7b1 ~~ Test Case KMAC128-KDF-3 ~~ Description: IKE SA key material ENCR=AES-128-GCM PRF=KMAC128 SK_d = 128 bits Salter, et al. Expires 7 April 2025 [Page 36] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 SK_a[i|r] = nil SK_e[i|r] = 160*2 bits SK_p[i|r] = 128*2 bits Key (hex): 000102030405060708090a0b0c0d0e0f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 dfdedddcdbdad9d8d7d6d5d4d3d2d1d0 Number of output bits requested (integer): 704 Customization String (string): "ikev2 kdf" Customization String (hex): 696b657632206b6466 Output (hex): cd4f184a2868ee2b4f44d28a1e543a72489767f621c23f6645e477a7668c7d1d 9a7c143b5258d4258ded00fe78ea280033f4f52832876a61747358b759f135d3 f2b8908571defe8d0cbe497a8f7daf09710d1eac6ae6cd33 ~~ Test Case KMAC128-KDF-4 ~~ Description: IKE SA key material ENCR=AES-256-CBC INTEG=KMAC128 PRF=KMAC128 SK_d = 128 bits SK_a[i|r] = 128*2 bits SK_e[i|r] = 256*2 bits SK_p[i|r] = 128*2 bits Key (hex): 000102030405060708090a0b0c0d0e0f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 dfdedddcdbdad9d8d7d6d5d4d3d2d1d0 Number of output bits requested (integer): 1152 Customization String (string): Salter, et al. Expires 7 April 2025 [Page 37] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 "ikev2 kdf" Customization String (hex): 696b657632206b6466 Output (hex): 5346031edd514606a1faf3269571e9d0cfa632e9640f09499457276a2ec39c25 d042401ac90c6f53ee93a50913a4664f5c1e71469739d729a1f57d2f78832cb7 695a471756b1c27500267047985007c901575e6f43bd22c452d7b92ed5cb0328 d4a9ecccba37c28d5e1859291d256dd40ff346583532c75c80a13391b22815ae 7a2768d5c8b8a9f3283f11e7b7c1c627 ~~ Test Case KMAC128-KDF-5 ~~ Description: ESP key material ENCR=AES-256-CBC INTEG=KMAC128 KEYMAT=(256*2) + (128*2) bits Key (hex): 000102030405060708090a0b0c0d0e0f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Number of output bits requested (integer): 768 Customization String (string): "ikev2 kdf" Customization String (hex): 696b657632206b6466 Output (hex): 1ad3efce20c5ea7dc9ea91ab19aa05b6bb29cb81c3eeb9db4eab962f43772306 c33b221a3e244e2537d591631daf5c2ce3ae0e58ed8e5580cedbe7538d1727d1 d49a7b8a93f3d4c698e608e0b0534e51c871686308b1085031ae3765a29abb3c A.2.5. KMAC256 KDF Test Vectors ~~ Test Case KMAC256-KDF-1 ~~ Description: IKEv2 KDF request single PRF output Key (hex): Salter, et al. Expires 7 April 2025 [Page 38] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Number of output bits requested (integer): 512 Customization String (string): "ikev2 kdf" Customization String (hex): 696b657632206b6466 Output (hex): 918fcc9584938feadca44878aff97466df6de641863bfa2ff92e8d4f28109195 316a4786d33a7a3e7de2cf483d9750f0d5f1f2551b59992a621d44850fb4b730 ~~ Test Case KMAC256-KDF-2 ~~ Description: IKEv2 KDF request multiple PRF output Key (hex): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Number of output bits requested (integer): 1024 Customization String (string): "ikev2 kdf" Customization String (hex): 696b657632206b6466 Output (hex): e5414718d74f02f7032c926d777e7553d5c74f073d622317b341ec2e8d7eeb13 77bb38ae552900eb5b075dbf7185cddbfe216a16e2692d313598dca7c6df8453 73eaa2d9623a07e6333706bd4655180b4b750af8bcdefa053a5601d25f808e41 ad07734f1b65201ae9e639893ea76ec8bb8b004b43ad48a9687cddda3ecf665c ~~ Test Case KMAC256-KDF-3 ~~ Description: IKE SA key material Salter, et al. Expires 7 April 2025 [Page 39] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 ENCR=AES-128-GCM PRF=KMAC256 SK_d = 256 bits SK_a[i|r] = nil SK_e[i|r] = 160*2 bits SK_p[i|r] = 256*2 bits Key (hex): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 dfdedddcdbdad9d8d7d6d5d4d3d2d1d0 Number of output bits requested (integer): 1088 Customization String (string): "ikev2 kdf" Customization String (hex): 696b657632206b6466 Output (hex): e22f0bf22b2a3f595c4af083b9ae7abb1102c22b10da628a569a005d71cb0f5c 69ddb319c9365c25e1f8ff9ec5b3a71f7cf96490ed7b835feea6c6331d25c0cc 94f562316504d02a16339a4b2bcbf57c4729ede14bfa334ea9bf3de2208c1176 0bad9e5e4b5623edd9a221fb8d1fba02b8bd64b63422c9e0bb2e2a6b0434c88b fb63a52f8eee6436 ~~ Test Case KMAC256-KDF-4 ~~ Description: IKE SA key material ENCR=AES-256-CBC INTEG=KMAC256 PRF=KMAC256 SK_d = 256 bits SK_a[i|r] = 256*2 bits SK_e[i|r] = 256*2 bits SK_p[i|r] = 256*2 bits Key (hex): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 dfdedddcdbdad9d8d7d6d5d4d3d2d1d0 Salter, et al. Expires 7 April 2025 [Page 40] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 Number of output bits requested (integer): 1792 Customization String (string): "ikev2 kdf" Customization String (hex): 696b657632206b6466 Output (hex): 7cecf177da25eca206b2bd9b1d17710f08d6e09d8361f053116be41aaa583bd2 7ab4bb9ca8d5019787fac7227ed8ce01fa250a9ab4b638f98a4365dd84004b11 2c4810eeeb36d8493922f1fe8b75609d9f6d4c08aa1f16039b164600d8748913 bd0736b742eef9d7038df42ea748798b58e4d716d669a677115926c490ea46fa 948f2f0eee211e2200d401fffad14f05c82aa388b701ad83b576053c22a3f1f8 2966af987f37dae321ccc5867e50f19d9a7a07946e5ddd58ecf9668bbbbfa30c 78568cc0b5de273a8773ca15a2cc299da3331437850dd9dc5f126e76cbd0fcd7 ~~ Test Case KMAC256-KDF-5 ~~ Description: ESP key material ENCR=AES-256-CBC INTEG=KMAC256 KEYMAT=(256*2) + (256*2) bits Key (hex): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Number of output bits requested (integer): 1024 Customization String (string): "ikev2 kdf" Customization String (hex): 696b657632206b6466 Output (hex): e5414718d74f02f7032c926d777e7553d5c74f073d622317b341ec2e8d7eeb13 77bb38ae552900eb5b075dbf7185cddbfe216a16e2692d313598dca7c6df8453 73eaa2d9623a07e6333706bd4655180b4b750af8bcdefa053a5601d25f808e41 ad07734f1b65201ae9e639893ea76ec8bb8b004b43ad48a9687cddda3ecf665c Salter, et al. Expires 7 April 2025 [Page 41] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 A.3. HMAC-SHA3 IKEv2 and IPsec Integrity Protection Test Vectors These test cases correspond to use of HMAC-SHA3 as the integrity protection transform for an IKEv2 SA or an IPsec SA. A.3.1. HMAC-SHA3-256 IKEv2 and IPsec Integrity Protection Test Vectors ~~ Test Case HMAC-SHA3-256-IKEV2+IPSEC-INTEG-1 ~~ Key (hex): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Output (hex): 10ae5299b538c806177afcfbd50a78cc A.3.2. HMAC-SHA3-384 IKEv2 and IPsec Integrity Protection Test Vectors ~~ Test Case HMAC-SHA3-384-IKEV2+IPSEC-INTEG-1 ~~ Key (hex): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 202122232425262728292a2b2c2d2e2f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Output (hex): c412ca3549716fafa30b7cc1f8333ec80875f7f42b1bd02e A.3.3. HMAC-SHA3-512 IKEv2 and IPsec Integrity Protection Test Vectors ~~ Test Case HMAC-SHA3-512-IKEV2+IPSEC-INTEG-1 ~~ Key (hex): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Output (hex): dd3900c31efb5ca7f8cc457a2343c09177c76c81f0650e026d72e50878d70b70 Salter, et al. Expires 7 April 2025 [Page 42] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 A.4. KMAC IKEv2 Integrity Protection Test Vectors These test cases correspond to use of KMAC as the integrity protection transform for an IKEv2 SA. Note that, since different customization strings are used for integrity protection in IKEv2 and IPsec, different outputs are produced, so two sets of test vectors are supplied. A.4.1. KMAC128 IKEv2 Integrity Protection Test Vectors ~~ Test Case KMAC128-IKEV2-INTEG-1 ~~ Key (hex): 000102030405060708090a0b0c0d0e0f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Customization String (string): "ikev2 auth" Customization String (hex): 696b6576322061757468 Output (hex): 535c4f72ea7967ddae5dc95732625801 A.4.2. KMAC256 IKEv2 Integrity Protection Test Vectors ~~ Test Case KMAC256-IKEV2-INTEG-1 ~~ Key (hex): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Customization String (string): "ikev2 auth" Customization String (hex): 696b6576322061757468 Output (hex): 06215b3864e0e977bd45267a8e70c9ce Salter, et al. Expires 7 April 2025 [Page 43] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 A.5. KMAC IPsec Integrity Protection Test Vectors These test cases correspond to use of KMAC as the integrity protection transform for an IPsec SA. Note that, since different customization strings are used for integrity protection in IKEv2 and IPsec, different outputs are produced, so two sets of test vectors are supplied. A.5.1. KMAC128 IKEv2 Integrity Protection Test Vectors ~~ Test Case KMAC128-IPSEC-INTEG-1 ~~ Key (hex): 000102030405060708090a0b0c0d0e0f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Customization String (string): "ipsec auth" Customization String (hex): 69707365632061757468 Output (hex): d78075faf484002a8bca0272dcc169ac A.5.2. KMAC256 IKEv2 Integrity Protection Test Vectors ~~ Test Case KMAC256-IPSEC-INTEG-1 ~~ Key (hex): 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f Input (hex): fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0 Customization String (string): "ipsec auth" Customization String (hex): 69707365632061757468 Output (hex): 6baa9313bbd91f81876301d2a4b9af34 Salter, et al. Expires 7 April 2025 [Page 44] Internet-Draft SHA-3 in IKEv2 and IPsec October 2024 Appendix B. Acknowledgments TODO Authors' Addresses Ben Salter UK National Cyber Security Centre Email: Ben.S3@ncsc.gov.uk Adam Raine UK National Cyber Security Centre Email: Adam.R@ncsc.gov.uk Jonathan Cruickshanks UK National Cyber Security Centre Email: Jonathan.C@ncsc.gov.uk Salter, et al. Expires 7 April 2025 [Page 45]