> > > This leaves out the third bullet, i.e. "3) if single protocol has both > > > encryption and authentication keys, the encryption key is taken first > > > and the authentication key after the encryption key." > > > > This bullet is probably superfluous and incomplete. > > > > First, RFC4301 already has the same requirement (section 4.5.2): > > > > To ensure that the IPsec implementations at each end of > > the SA use the same bits for the same keys, and irrespective of which > > part of the system divides the string of bits into individual keys, > > the encryption keys MUST be taken from the first (left-most, > > high-order) bits and the integrity keys MUST be taken from the > > remaining bits. The number of bits for each key is defined in the > > relevant cryptographic algorithm specification RFC. In the case of > > multiple encryption keys or multiple integrity keys, the > > specification for the cryptographic algorithm must specify the order > > in which they are to be selected from a single string of bits > > provided to the cryptographic algorithm. > > > > And second, it defines only the order of encryption and authentication keys. > > If some bits need to be derived for some other purposes (like nonces > > in GCM and CCM, etc.), this paragraph doesn't help at all. > > > > So, I think it is better to rely on RFC4301 here and leave 3rd bullet out.
That also works for the GCM and CCM examples because their necessary details are already specified in the GCM and CCM RFCs. GCM and CCM actually take salt values for nonces (as opposed to the nonces themselves from the generated keying material. The RFCs for these two transforms are carefully written to specify that one larger chunk of keying material is taken and then divided into salt and key (see RFC 4106, Section 8.1 and RFC 4309, Section 7.1). What this means is that from the point of view of how the generated keying material is consumed, a GCM or CCM salt is logically part of a larger encryption key. Thanks, --David ---------------------------------------------------- David L. Black, Distinguished Engineer EMC Corporation, 176 South St., Hopkinton, MA 01748 +1 (508) 293-7953 FAX: +1 (508) 293-7786 black_da...@emc.com Mobile: +1 (978) 394-7754 ---------------------------------------------------- _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
