David A. McGrew, Ph.D.
mcgrew [at] cisco [dot] com




Technical Reports



Specifications and Standards

  Secure RTP
  Galois/Counter Mode (GCM)
Crypto Source Code
Links to Other Sites
  Crypto Forum Research Group
  Open Source Crypto
  Security Specifications
  Other Pages of Interest

I am a Fellow at Cisco Systems, where I work in the Office of the CTO in the Security Business Group. My current focus is the detection of advanced threats and malware using network monitoring and analytic techniques. I work to improve network and system security through applied research, standards, and product engineering, and connect the industry to research through the University Research Board.

This web page is not up to date; it is maintained only to provide preprints and similar documents. For more up to date professional information, please visit my page on LinkedIn. Needless to say, this web page represents me, and does not represent my employer or any other organization.

I have worked in applied cryptography, with interests centered on building practical security systems using cryptography, with an emphasis on performance, scalability and deployability, as well as cryptanalysis, the design of symmetric ciphers and message authentication codes, and information theory. I was a founder and co-chair of the IRTF Crypto Forum Research Group as well as a member of the International Association for Cryptologic Research and the Internet Society.

I'm also an alumnus of The Ohio State University (B.S, Physics) and Michigan State University (Ph.D., Theoretical Nuclear Physics, Adviser: Wolfgang Bauer). My other interests include Open Source software, and I have used Linux since 1995.

Office Pic


Some of my recent publications, presentations, specifications and standards-related works are available online.


D. McGrew, Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes, Proceedings of the Fast Software Encryption Workshop, 2013. Preprint available at the IACR eprint archive.

The block cipher modes of operation that are widely used (CBC, CTR, CFB) are secure up to the birthday bound; that is, if w*2^w or fewer bits of data are encrypted with a w-bit block cipher. However, the detailed security properties close to this bound are not widely appreciated, despite the fact that 64-bit block ciphers are sometimes used in that domain. This work addresses the issue by analyzing plaintext-recovery attacks that are effective close to that bound. We describe probable-plaintext attacks, which can learn unknown plaintext values that are encrypted with CBC, CFB, or OFB. We also introduce impossible plaintext cryptanalysis, which can recover information encrypted with CTR, and can improve attacks against the aforementioned modes as well. These attacks work at the birthday bound, or even slightly below that bound, when the target plaintext values are encrypted under a succession of keys.

Slides are available on the FSE 2013 website.

D. McGrew and S. Fluhrer, The Security of the Extended Codebook (XCB) Mode of Operation, Proceedings of the 14th Annual Workshop on Selected Areas in Cryptography, Springer, 2007. Preprint available at the IACR eprint archive.

The XCB mode of operation was outlined in 2004 as a contribution to the IEEE Security in Storage effort, but no security analysis was provided. In this paper, we provide a proof of security for XCB, and show that it is a secure tweakable (super) pseudorandom permutation. Our analysis makes several new contributions: it uses an algebraic property of XCBs internal universal hash function to simplify the proof, and it defines a nonce mode in which XCB can be securely used even when the plaintext is shorter than twice the width of the underlying block cipher. We also show minor modifications that improve the performance of XCB and make it easier to analyze. XCB is interesting because it is highly efficient in both hardware and software, it has no alignment restrictions on input lengths, it can be used in nonce mode, and it uses the internal functions of the Galois/Counter Mode (GCM) of operation, which facilitates design re-use and admits multi-purpose implementations.

Hu, Yih-Chun, David McGrew, Adrian Perrig, Brian Weis, and Dan Wendlandt. (R)Evolutionary Bootstrapping of a Global PKI for Securing BGP,
Fifth Workshop on Hot Topics in Networks (HotNets-V), by ACM SIGCOMM. Irvine, California, November 29-30, 2006.

Most secure routing proposals require the existence of a global public-key infrastructure (PKI) to bind a public/private key-pair to a prefix, in order to authenticate route originations of that prefix. A major difficulty in secure routing deployment is the mutual dependency between the routing protocol and the establishment of a globally trusted PKI for prefixes and ASes: cryptographic mechanisms used to authenticate BGP Update messages require a PKI, but without a secure routing infrastructure in place, Internet registries and ISPs have little motivation to invest in the development and deployment of this PKI. This paper proposes a radically different mechanism to resolve this dilemma: an evolutionary Grassroots-PKI that bootstraps by letting any routing entity announce self-signed certificates to claim their address space. Despite the simple optimistic security of this initial stage, we demonstrate how a Grassroots-PKI provides ASes with strong incentives to evolve the infrastructure into a full top-down hierarchical PKI, as proposed in secure routing protocols like S-BGP. Central to the Grassroots-PKI concept is an attack recovery mechanism that by its very nature moves the system closer to a global PKI. This admittedly controversial proposal offers a rapid and incentive-compatible approach to achieving a global routing PKI.

David McGrew, Efficient Authentication of large, dynamic data sets using Galois/Counter Mode (GCM), 3rd International IEEE Security in Storage Workshop, December 13, 2005.

The Galois/Counter Mode (GCM) of operation can be used as an incremental message authentication code (MAC); in this respect, it is unique among the crypto algorithms used in practice. We show that it has this property, and show how to use it as an incremental MAC. These MACs have great utility for protecting data at rest. In particular, they can be used to protect a large, dynamic data set using only a small, constant amount of memory.

David A. McGrew and John Viega, The Security and Performance of the Galois/Counter Mode (GCM) of Operation, INDOCRYPT 2004, Springer-Verlag, 343-355. Full version available at the IACR eprint archive, August 10, 2004.

The recently introduced Galois/Counter Mode (GCM) of operation for block ciphers provides both encryption and message authentication, using universal hashing based on multiplication in a binary finite field. We analyze its security and performance, and show that it is the most efficient mode of operation for high speed packet networks, by using a realistic model of a network crypto module and empirical data from studies of Internet traffic in conjunction with software experiments and hardware designs. GCM has several useful features: it can accept IVs of arbitrary length, can act as a stand-alone message authentication code (MAC), and can be used as an incremental MAC. We show that GCM is secure in the standard model of concrete security, even when these features are used. We also consider several of its important system-security aspects.

Mingyan Li, Radha Poovendran, David A. McGrew: Minimizing center key storage in hybrid one-way function based group key management with communication constraints. Inf. Process. Lett. 93(4): 191-198 (2005).

Bo Yang, Ramesh Karri, David A. McGrew: Divide-and-concatenate: an architecture level optimization technique for universal hash functions. DAC 2004: 614-617.

Bo Yang, Ramesh Karri, David A. McGrew: Divide and concatenate: a scalable hardware architecture for universal MAC. FPGA 2004: 258.

Top Ten Wrong Conclusions from Attacks on Additive Encryption, last slide from the SAC '00 presentation.

David A. McGrew and Scott R. Fluhrer, Attacks on Additive Encryption of Redundant Plaintext and Implications on Internet Security, The Proceedings of the Seventh Annual Workshop on Selected Areas in Cryptography (SAC 2000), Springer-Verlag, August, 2000.

Abstract: We present and analyze attacks on additive stream ciphers that rely on linear equations that hold with nontrivial probability in plaintexts that are encrypted using distinct keys.  These attacks extend Biham's key collision attack and Hellman's time memory tradeoff attack, and can be applied to any additive stream cipher.  We define linear redundancy to characterize the vulnerability of a plaintext source to these attacks.

We show that an additive stream cipher with an $n$-bit key has an effective key size of $n-\min(l, \lg M)$ against the key collision attack, and of $2n/3 + \lg (n/3) + \max(n-l,0)$ against the time memory tradeoff attack, when the the attacker knows $l$ linear equations over the plaintext and has $M$ ciphertexts encrypted with $M$ distinct unknown secret keys.

Lastly, we analyze the IP, TCP, and UDP protocols and some typical protocol constructs, and show that they contain significant linear redundancy.  We conclude with observations on the use of stream ciphers for Internet security.

Scott R. Fluhrer and David A. McGrew, Statistical Analysis of the Alleged RC4 Stream Cipher, The Proceedings of the Fast Software Encryption Workshop 2000Springer-Verlag, March, 2000.

Abstract: The alleged RC4 keystream generator is examined, and a method of explicitly computing digraph probabilities is given.  Using this method, we demonstrate a method for distinguishing 8-bit RC4 from randomness.  Our method requires less keystream output than currently published attacks, requiring only $2^{30.6}$ bytes of output.  In addition, we observe that an attacker can, on occasion, determine portions of the internal state with nontrivial probability.  However, we are currently unable to extend this observation to a full attack.

David A. McGrew and Alan T. Sherman, Key establishment in large dynamic groups using one-way function trees, IEEE Transactions on Software Engineering 29(5): 444-458 (2003).

Abstract: We present and analyze a new algorithm for establishing shared cryptographic keys in large, dynamically changing groups. Our algorithm is based on a novel application of one-way function trees. In comparison with previously published methods, our algorithm achieves a new minimum in the number of bits that need to be broadcast to members in order to re-key after a member is added or evicted. The number of keys stored by group members, the number of keys broadcast to the group when new members are added or evicted, and the computational efforts of group members, are logarithmic in the number of group members. Our algorithm provides complete forwards and backwards security: newly admitted group members cannot read previous messages, and evicted members cannot read future messages, even with collusion by arbitrary many evicted members.

This algorithm offers a new scalable method for establishing group session keys for secure large-group applications such as electronic conferences, multicast sessions, and military command and control.

Works in Progress

David McGrew and Scott Fluhrer.  The Extended Codebook (XCB) Mode of OperationPre-publication draft, available on IACR Eprint Archive.  October, 2004. (The published work is cited above.)

We describe a block cipher mode of operation that implements a `tweakable' (super) pseudorandom permutation with an arbitrary block length. This mode can be used to provide the best possible security in systems that cannot allow data expansion, such as disk-block encryption and some network protocols. The mode accepts an additional input, which can be used to protect against attacks that manipulate the ciphertext by rearranging the ciphertext blocks.

Our mode is similar to a five-round Luby-Rackoff cipher in which the first and last rounds do not use the conventional Feistel structure, but instead use a single block cipher invocation. The third round is a Feistel structure using counter mode as a PRF. The second and fourth rounds are Feistel structures using a universal hash function; we re-use the polynomial hash over a binary field defined in the Galois/Counter Mode (GCM) of operation for block ciphers. This choice provides efficiency in both hardware and software and allows for re-use of implementation effort. XCB also has several useful properties: it accepts arbitrarily-sized plaintexts and associated data, including any plaintexts with lengths that are no smaller than the width of the block cipher.

David McGrew and Scott Fluhrer.  Multiple forgery attacks against Message Authentication CodesPre-publication draft, available on IACR Eprint Archive.  May, 2005.

Some message authentication codes (MACs) are vulnerable to multiple forgery attacks, in which an attacker can gain information that allows her to succeed in forging multiple message/tag pairs. This property was first noted in MACs based on universal hashing, such as the Galois/Counter Mode (GCM) of operation for block ciphers. However, we show that CBC-MAC and HMAC also have this property, and for some parameters are more vulnerable than GCM. We present multiple-forgery attacks against these algorithms, then analyze the security against these attacks by using the expected number of forgeries. We compare the different MACs using this measure.


Physics Publications

There is a remarkably close parallel between the problems of the physicist and those of the cryptographer. The system on which a message is enciphered corresponds to the laws of the universe, the intercepted messages to the evidence available, the keys for a day or a message to important constants which have yet to be determined. The correspondence is very close, but the subject matter of cryptography is very easily dealt with by discrete machinery, physics not so easily. Alan Turing, "Intelligent machinery." In: Bernhard Meltzer and Donald Michie (eds), Machine Intelligence 5., p. 14.

The papers in physics below were published during graduate school while I was at the National Superconducting Cyclotron Laboratory and Michigan State University.

D.A. McGrew and W. Bauer, Constraint operator solution to quantum billiard problems, Phys. Rev. E, 54, 5809 (1996).

We introduce an additional method to solve Schrodinger's equation for a free particle in an infinite well of arbitrary shape (the Helmholtz equation with Dirichlet boundary conditions) , a problem of interest in the area of quantum chaos. We expand the wave function in a basis of products of sine functions, then use the constraint operator to contain the wave function to a region within the domain of the basis functions. In this manner, a quantum billiard problem of arbitrary shape can be solved. Several methods exist to solve problems of this sort, but as recent work reviewing these methods has shown, all have shortcomings. Our work represents a different direction in the solution of these problems. Our method is different in that it provides a means of computing an eigenbasis. It is also interesting from a physical standpoint in that it can represent the Hamiltonian of a classically chaotic system in the basis of a classically regular system.

Surajit Sen, Carl N. Hoff, Dennis E. Kuhl and David A. McGrew, Relaxation in simple s=1/2 spin chains with next nearest neighbor interactions, Physical Review B vol. 53, pp. 3398-3408 (1996).

Most of the existing dynamical studies in one dimension on magnetic insulators have considered the simplest spin models with nearest-neighbor interactions. In real systems, however, it is possible that longer range interactions are not entirely negligible. It is expected that the inclusion of next-nearest-neighbor interactions between spins in one-dimensional spin models will introduce a multitude of new frequencies in addition to the ones already present in the dynamics that arises due to nearest-neighbor interactions. We first present an exact solution for the dynamical xx-spin-pair correlations in an Ising chain with both nearest- and next-nearest-neighbor interactions to confirm our expectation. We next show, via an approximate analytical calculation, that the dynamical zz-spin-pair correlations in the next-nearest-neighbor transverse Ising chain when plotted as a function of time is noticeably different with respect to the exactly solvable nearest-neighbor transverse Ising chain at T--> [infinity] when the next-nearest-neighbor interaction is >~ 1/2 of the magnitude of the nearest-neighbor interaction. The effects could be fairly subtle in the time domain representation and in the spectral function when these additional interactions are weak (i.e., <1/2 of the nearest-neighbor interaction magnitude). The general conclusions reached in this work are expected to be valid for other simple quantum spin models such as the XY and XXZ models in one dimension.

W. Bauer, D. McGrew, V. Zelevinsky, and P. Schuck, Regular and Chaotic Dynamics in Giant Nuclear Oscillations, Nucl. Phys.  A583, 93c (1995).

We study the problem of giant nuclear oscillations by performing self-consistent calculations in semiclassical approximation utilizing a multipole-multipole interaction of the Bohr-Mottelson type for quadrupole and octupole deformations. In all cases considered, we find regular motion of the collective coordinate, the multipole moment of deformation. This is in contradiction to the predictions of the wall formula and suggests that this type of one-body dissipation might not be realized in real nuclear systems. In addition, we find chaotic single particle motion in coexistence with the regular collective dynamics.

W. Bauer, D. McGrew, V. Zelevinsky, and P. Schuck,  Coexistence of Regular Undamped Nuclear Dynamics with Intrinsic Chaoticity, Phys. Rev. Lett. 72, 3771 (1994).

We study the conditions under which the nucleons inside a deformed nucleus can undergo chaotic motion. To do this we perform self-consistent calculations in semiclassical approximation utilizing a multipole-multipole interaction of the Bohr-Mottelson type for quadrupole and octupole deformations. For the case of harmonic and nonharmonic static potentials, we find that both multipole deformations lead to regular motion of the collective coordinate, the multipole moment of deformation. However, despite this regular collective motion, we observe chaotic single-particle dynamics.


Technical Reports

D. Balenson, D. Branstad, P. Dinsmore, M. Heyman, and C. Scace. DCCM Cryptographic Context Negotiation Protocol. TIS Technical Report 0757, TIS labs at Network Associates, Inc., February 1999.

D. Balenson, D. Branstad, D. McGrew, and A. Sherman. DCCM architecture and system design. Technical Report TIS report 0709, TIS labs at Network Associates, Inc., June 1998.

D. Balenson, D. McGrew, and A. Sherman. Key management for large dynamic groups: One-way function trees and amortized initialization. draft-irtf-smug-groupkeymgmt-oft-00.txt, Internet Research Task Force, August 2000.

D. Balenson, D. Branstad, D. McGrew, J. Turner, and M. Heyman. DCCM Cryptographic Context Negotiation Template. TIS Technical Report 0745-2, TIS labs at Network Associates, Inc., February 1999.

Denny Branstad, David McGrew.  Policy-Controlled Cryptographic Key Release.  DIMACS Trust Management Workshop. September, 1996.



Problems and Progress with Crypto Hash Functions, Presentation to IAB/Technical Plenary at IETF64, 2005.

Scalable, Efficient Cryptography for Multiple Security Services.  The Center for Information Systems Security Studies and Research, Naval Postgraduate School, July, 2004.

Security without data expansion: the XCB mode of operation.  CyLab Seminar, Carnegie-Mellon University, October, 2004.

GCM: Encryption and Authentication at 10 gbps and Beyond. Washington Area Trustworthy Systems Hour (WATSH), April 13, 2004.

The Shape of VPNs to Come.  The Internet Security Conference (TISC), October, 1999.


Specifications and Standards

The Secure Real Time Transport Protocol (SRTP) and related work

M. Baugher, D. McGrew, M. Naslund, E. Carrara, K. Norrman, The Secure Real-time Transport Protocol (SRTP), IETF Request for Comments RFC 3711. March 2004. Standards Track.

This document describes the Secure Real-time Transport Protocol (SRTP), a profile of the Real-time Transport Protocol (RTP), which can provide confidentiality, message authentication, and replay protection to the RTP traffic and to the control traffic for RTP, the Real-time Transport Control Protocol (RTCP).

libSRTP is an open-source reference implementation of Secure RTP, which is available on sourceforge.

D. McGrew, F. Andreasen, L. Dondeti, Encrypted Key Transport for Secure RTP, IETF Internet Draft draft-mcgrew-srtp-ekt-06.txt. October 2009. Informational.

SRTP Encrypted Key Transport (EKT) is an extension to SRTP that provides for the secure transport of SRTP master keys, Rollover Counters, and other information, within SRTCP. This facility enables SRTP to work for decentralized conferences with minimal control, and to handle situations caused by early media.

D. McGrew, E. Rescorla, Datagram Transport Layer Security (DTLS) Extension to Establish Keys for Secure Real-time Transport Protocol (SRTP), IETF Internet Draft draft-ietf-avt-dtls-srtp-07.txt. Standards Track. February, 2009. (Approved for RFC.)

This document describes a Datagram Transport Layer Security (DTLS) extension to establish keys for secure RTP (SRTP) and secure RTP Control Protocol (SRTCP) flows. DTLS keying happens on the media path, independent of any out-of-band signalling channel present.

D. McGrew. The use of AES-192 and AES-256 in Secure RTP, draft-ietf-avt-srtp-big-aes-02.txt. Standards Track. October, 2009.

This memo describes the use of the Advanced Encryption Standard (AES) with 192 and 256 bit keys within the Secure RTP protocol. It defines Counter Mode encryption for SRTP and SRTCP and a new SRTP Key Derivation Function (KDF) for AES-192 and AES-256.

D. McGrew. AES-GCM and AES-CCM Authenticated Encryption in Secure RTP (SRTP) draft-ietf-avt-srtp-aes-gcm-00. Standards Track. July, 2009.

This document defines how AES-GCM, AES-CCM, and other Authenticated Encryption with Associated Data (AEAD) algorithms, can be used to provide confidentiality and data authentication mechanisms in the SRTP protocol.

D. McGrew Synchronizing the Rollover Counter in SRTP Multiparty Sessions, March, 2006. (Sent to IETF AVT working group, but not formally published.)

Galois/Counter Mode

David A. McGrew and John Viega, Galois/Counter Mode of Operation (GCM), Local copy of the original submission to NIST Modes of Operation process, January 15, 2004. Slightly revised on May 31, 2005 (posted on June 2, 2005).

Galois/Counter Mode (GCM) is a block cipher mode of operation that uses universal hashing over a binary Galois field to provide authenticated encryption. It can be implemented in hardware to achieve high speeds with low cost and low latency. Software implementations can achieve excellent performance by using table-driven field operations. It uses mechanisms that are supported by a well-understood theoretical foundation, and its security follows from a single reasonable assumption about the security of the block cipher.

J. Viega and D. McGrew, The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP), IETF Request for Comments RFC 4106, June, 2005.

This memo describes the use of the Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM) as an IPsec Encapsulating Security Payload (ESP) mechanism to provide confidentiality and data origin authentication. This method can be efficiently implemented in hardware for speeds of 10 gigabits per second and above, and is also well-suited to software implementations.

D. McGrew and J. Viega, The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH, IETF Request for Comments RFC 4543, May, 2006.

This memo describes the use of the Advanced Encryption Standard (AES) Galois Message Authentication Code (GMAC) as a mechanism to provide data origin authentication, but not confidentiality, within the IPsec Encapsulating Security Payload (ESP) and Authentication Header (AH). GMAC is based on the Galois/Counter Mode (GCM) of operation, and can be efficiently implemented in hardware for speeds of 10 gigabits per second and above, and is also well-suited to software implementations.


Threshold Secret Sharing

D. McGrew, P. Patnala, A. Hoenes, Threshold Secret Sharing, draft-mcgrew-tss-02.txt, March 2009. Informational.

Threshold secret sharing (TSS) provides a way to generate N shares from a value, so that any M of those shares can be used to reconstruct the original value, but any M-1 shares provide no information about that value. This method can provide shared access control on key material and other secrets that must be strongly protected.

This note defines a threshold secret sharing method based on polynomial interpolation in GF(256) and a format for the storage and transmission of shares. It also provides usage guidance, describes
how to test an implementation, and supplies test cases.



David A. McGrew and Scott R. Fluhrer, The Stream Cipher LEVIATHAN: Specification and Supporting Documentation, Submission to the New European Schemes for Signatures, Integrity, and Encryption (NESSIE) Standard, October 24, 2000.

Abstract: This paper specifies the synchronous stream cipher LEVIATHAN, and provides the supporting documentation for the NESSIE standardization process. The design of this cipher enables it to efficiently seek to arbitrary locations in its keystream, despite the fact that its state transition functions are nonlinear. The cipher is designed for high throughput on general purpose processors.

The package containing the specification, reference implementation, and supporting documentation for the NESSIE process is available online.  This is the third version of this package; it corrects some minor errors and ambiguities.  NESSIE is the New European Schemes for Signatures,  Integrity, and Encryption.

Canst thou draw out leviathan with a hook? (Job 41:1) Perhaps not, but Paul Crowley and Stefan Lucks published an analysis of the Bias in the LEVIATHAN stream cipher at the April, 2001 Fast Software Encryption Workshop. This work shows that bias can be observed with 2^36 bytes of output, and presents two distinguishers.

A relatively simple addition to the cipher is believed to eliminate this bias. However, the updated specification has not yet been published.

Counter Mode

Counter mode is a block cipher mode of operation of considerable interest, especially for use with AES. It is known to have good security properties, can be implemented using parallelism or pipelining, can be implemented using predictive strategies for keystream generation, has zero plaintext expansion (ciphertext that is the same length as the plaintext), does not propagate bit errors during decryption. Additionally, it has recently been added to NIST's list of approved modes.

Secure RTP defines a counter mode variant in Section 4.1.1. This mode was chosen because it provides high security, has ciphertext that is no larger than the corresponding plaintext, it does not propagate bit errors on decryption.

Counter Mode Security: Analysis and Recommendations. Unpublished draft for IETF IPsec WG.

Integer Counter Mode, draft-mcgrew-saag-icm-00.txt. Individual submission to the IETF Security Area Advisory Group (SAAG). This draft defines a counter mode variant that is flexible enough to be applied to distinct application domains. Please note that this variant is not interoperable with that specified in the old Stream Cipher ESP document. This draft has expired and has not been resubmitted.

Segmented Integer Counter Mode: Specification and Rationale.  Submitted to NIST Modes of Operation Workshop, October, 2000. This document describes how counter mode can be used for packet encryption.


The Truncated Multi-Modular Hash (TMMH) is a derivative of MMH which provides universal hashing for use in a Carter-Wegman message authentication code.

TMMH Version Two is specified in draft-mcgrew-saag-tmmh-02.txt. See the Revision History section for a list of changes from the initial version. This draft has expired and has not been resubmitted.

The Universal Security Transform (UST)

UST is a data transform which provides confidentiality and message authentication by using a universal hash function (such as TMMH) with a segmented stream cipher (such as AES Counter Mode). It is specified in draft draft-mcgrew-saag-ust-00.txt. This transform is well optimized for protecting packet flows, minimizing computational cost and storage requirements while providing strong security. A previous draft describing UST was called draft-mcgrew-saag-sst-00.txt; the name was changed to avoid a potential trademark infringement.

This draft has expired and has not been resubmitted. Please see GCM, which follows the same framework and has the same benefits (though GCM is a block cipher mode, and will not work with an arbitrary pseudorandom function).

The Stream Cipher Encapsulating Security Payload (SC/ESP)

Individual submission to the IETF IPsec Working Group, draft-mcgrew-ipsec-scesp-02.txt.  IETF Internet Draft, November, 2000.  This is joint work with Scott Fluhrer and Cheryl Madson. This draft has expired and has not been resubmitted.

Revision History

draft-mcgrew-ipsec-scesp-02.txt  Added a section on Counter Mode, and a subsection on the security analysis of that cipher.  Minor clarifications added.

draft-mcgrew-ipsec-scesp-01.txt  Changed a MAY to a MUST based on feedback from the presentation at the Pittsburgh IETF.  Minor clarifications added.

draft-mcgrew-ipsec-scesp-00.txt - Original version.

The SEAL ESP is a specialization of SC/ESP; it is implemented in Cisco IOS. The SEAL cipher is described by a paper in the Journal of Cryptology that is also available online.

The Simple Certificate Enrollment Protocol (SCEP)

Xiaoyi Liu, Cheryl Madson, David McGrew, Andrew Nourse.  Cisco Systems' Simple Certificate Enrollment Protocol (SCEP). IETF Informational Draft.  Also published as a Cisco Systems, Inc. white paper.


N. Cam-Winget, D. McGrew, J. Salowey, H. Zhou. EAP Flexible Authentication via Secure Tunneling (EAP-FAST). IETF Informational Draft, April, 2005.


Other Work

Cisco Comments on the Advanced Encryption Standard.  These comments reflect a perspective on the AES requirements from the viewpoint of an implementer and vendor of cryptographic systems, and are part of the Round Two feedback of NIST's AES effort.

The Kerberos Key Management Protocol, now the IETF KINK WG.  

Key Management for Large Dynamic Groups, D. Balenson, D. McGrew, A. Sherman, IRTF Draft <draft-irtf-smug-groupkeymgmt-oft-00.txt>.

Key Management for Large Dynamic Groups: One-Way Function Trees and Amortized Initialization, D. Balenson, D. McGrew, A. Sherman, Expired IETF Internet Draft <draft-balenson-groupkeymgmt-oft-00.txt>.


Stream cipher encryption method and apparatus that can efficiently seek to  arbitrary locations in a key stream.  United States Patent 6,862,354.  David McGrew, Scott Fluhrer.  March 1, 2005. Assigned to Cisco Systems, Inc.

Publicly verifiable key recovery. United States Patent 6,249,585.  David McGrew, David Carman.  June 19, 2001.  Assigned to Network Associates, Inc.


Crypto Source Code

The source code online here is unrestricted encryption source code, as per Section 740.13(e) of the U. S. Export Administration Regulations.

This site includes publicly available encryption source code which, together with object code resulting from the compiling of publicly available source code, may be exported from the United States under License Exception "TSU" pursuant to 15 C.F.R. Section 740.13(e).

The source (and documentation) for LEVIATHAN is available as a tgz (tarred and gzipped) file.

libSRTP, an open source reference implementation of Secure RTP, is online at sourceforge.net. This work implements SRTP in a portable C library with a documented API.

The libsrtp distribution is a .tgz file containing C source code. The README file describes how to build the library and run the test driver and example programs. The API is described in the document libSRTP Overview and Documentation , which is included in the distribution as doc/libsrtp.pdf and is also available online.


Links to Other Sites

Here are links to some useful or interesting Internet sites.

IRTF Crypto Forum Research Group

The Crypto Forum Research Group (CFRG) is an Internet Research Task Force (IRTF) group for the discussion and review of cryptographic mechanisms for network security in general and for the IETF in particular. The group provides a forum where cryptographers, network security experts, and protocol designers can exchange ideas and investigate ways for using new cryptographic developments in the future Internet.

For more information on CFRG, please see the main web site or the charter.

RFC Citations of Crypto Algorithms

Cryptography is extensivel used on the Internet. Many IETF RFCs define or make use of cryptographic algorithms or protocols. The CFRG maintains a set of references on the Internet Cryptography pages.

Open Source Crypto

The following open-source cryptography projects are all available online.

The OpenBSD operating system includes IPsec (and IPv6 as well).

As of Linux 2.5.47, there is a native IPSec implementation in the kernel. For older versions, there is the FreeS/WAN project.

OpenSSH is a BSD-licensed SSH version developed by the OpenBSD community.

GNU SSH Version 2.0 is a GPL-licensed SSH version.

GNU Privacy Guard (GPG)
Here is the main Kerberos page at MIT.
The OpenSSL project has great momentum.
X.509 Certificates and Cryptographic Message Syntax (CMS)
S/MIME Freeware Library.
Ciphers and Hash functions
Wei Dai’s crypto++ library is an extensive C++ crypto library.

The cryptography.org website offers a good collection of cryptographic functions.

Eric Young's code has been the basis for several other open-source efforts.

Operating Systems
The OpenBSD operating system is a security conscious BSD variant that is laden with crypto.

The TrustedBSD project is adding security to FreeBSD.

The Security-Enhanced Linux kernel is a version of that operating system that is instrumented to support mandatory access controls.

The trustix operating system is a high-assurance variant of linux.

Security Specifications

The Internet Engineering Task Force (IETF) Security Area web page.

The IEEE Standard Specifications For Public-Key Cryptography (IEEE P1363 Working Group).

U. S. Federal Information Processing Standards (FIPS) on Computer Security.

The Public Key Cryptography Standards (PKCS) web page.  Run by RSA, Inc.

The Standards for Efficient Cryptography Group (SECG).  Run by Certicom, Inc.

The ATM Forum web page, which contains the ATM Security Framework Version 1.0 and ATM Security Specification Version 1.0.

Korean Security Standards.

Wireless LAN Security: The Bluetooth Specification. This spec contains an LFSR based cipher called `E0' (which is a variant of a summation generator) in section 14.3.4.  Source code for this cipher is available online here.

Other Pages of Interest

The International Association for Cryptologic Research.

The Standard Cryptographic Algorithm Naming web page, maintained by the Cryptix Foundation.  A good reference for cryptographic functions.

Ron Rivest's crypto page, a good resource for crypto stuff on the web.

Kevin McCurley's list of cryptographer's webpages.

Wei Dai's benchmarks of the cryptographic primitives in his crypt++ library.

The National Cryptologic Museum.

Official disclaimer: I am not related to this person.

Last updated December, 2014.