idnits 2.17.1 draft-kanno-tls-camellia-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 15, 2011) is 4698 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 2246 (ref. '2') (Obsoleted by RFC 4346) ** Obsolete normative reference: RFC 4346 (ref. '6') (Obsoleted by RFC 5246) ** Obsolete normative reference: RFC 5246 (ref. '8') (Obsoleted by RFC 8446) Summary: 3 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Kanno 3 Internet-Draft NTT Software Corporation 4 Intended status: Informational M. Kanda 5 Expires: December 17, 2011 NTT 6 June 15, 2011 8 Addition of the Camellia Cipher Suites to Transport Layer Security (TLS) 9 draft-kanno-tls-camellia-03 11 Abstract 13 This document specifies forty-two cipher suites for the Transport 14 Security Layer (TLS) protocol to additionally support the Camellia 15 encryption algorithm as a block cipher. 17 Status of this Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at http://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on December 17, 2011. 34 Copyright Notice 36 Copyright (c) 2011 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (http://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 52 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 53 2. Proposed Cipher Suites . . . . . . . . . . . . . . . . . . . . 4 54 2.1. HMAC based Cipher Suites . . . . . . . . . . . . . . . . . 4 55 2.2. GCM based Cipher Suites . . . . . . . . . . . . . . . . . 4 56 2.3. PSK based Cipher Suites . . . . . . . . . . . . . . . . . 5 57 3. Cipher Suite Definitions . . . . . . . . . . . . . . . . . . . 6 58 3.1. Key Exchange . . . . . . . . . . . . . . . . . . . . . . . 6 59 3.2. Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . 6 60 3.3. PRFs . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 61 3.4. PSK cipher suites . . . . . . . . . . . . . . . . . . . . 6 62 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 63 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 64 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 65 6.1. Normative References . . . . . . . . . . . . . . . . . . . 9 66 6.2. Informative References . . . . . . . . . . . . . . . . . . 10 67 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11 69 1. Introduction 71 The Camellia cipher suites are already specified in RFC5932 [15] with 72 SHA-256 based HMAC using asymmetric key encryption. This document 73 proposes the addition of new cipher suites to the Transport Layer 74 Security (TLS) [8] protocol to support the Camellia [4] cipher 75 algorithm as a block cipher algorithm. The proposed cipher suites 76 include variants using SHA-2 family of cryptographic hash functions 77 [13] and Galois Counter Mode (GCM) [14]. Elliptic curve cipher 78 suites and Pre-Shared Key (PSK) [5] cipher suites are also included. 80 1.1. Terminology 82 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 83 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 84 document are to be interpreted as described in RFC2119 [3]. 86 2. Proposed Cipher Suites 88 2.1. HMAC based Cipher Suites 90 The eight cipher suites use Camellia [4] in Cipher Block Chaining 91 (CBC) [4] mode with a SHA-2 family HMAC using elliptic curves 92 cryptosystem: 94 CipherSuite TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 = {TBD,TBD}; 95 CipherSuite TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 = {TBD,TBD}; 96 CipherSuite TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 = {TBD,TBD}; 97 CipherSuite TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 = {TBD,TBD}; 98 CipherSuite TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = {TBD,TBD}; 99 CipherSuite TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 = {TBD,TBD}; 100 CipherSuite TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = {TBD,TBD}; 101 CipherSuite TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 = {TBD,TBD}; 103 2.2. GCM based Cipher Suites 105 The twenty cipher suites use the same asymmetric key algorithms as 106 those in the previous section but use the authenticated encryption 107 modes defined in TLS 1.2 [8] with the Camellia in GCM [14]. 109 CipherSuite TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 = {TBD,TBD}; 110 CipherSuite TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 = {TBD,TBD}; 111 CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 = {TBD,TBD}; 112 CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 = {TBD,TBD}; 113 CipherSuite TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 = {TBD,TBD}; 114 CipherSuite TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 = {TBD,TBD}; 115 CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 = {TBD,TBD}; 116 CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 = {TBD,TBD}; 117 CipherSuite TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 = {TBD,TBD}; 118 CipherSuite TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 = {TBD,TBD}; 119 CipherSuite TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 = {TBD,TBD}; 120 CipherSuite TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 = {TBD,TBD}; 121 CipherSuite TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 = {TBD,TBD}; 122 CipherSuite TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 = {TBD,TBD}; 123 CipherSuite TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 = {TBD,TBD}; 124 CipherSuite TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 = {TBD,TBD}; 125 CipherSuite TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 = {TBD,TBD}; 126 CipherSuite TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 = {TBD,TBD}; 127 CipherSuite TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 = {TBD,TBD}; 128 CipherSuite TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 = {TBD,TBD}; 130 2.3. PSK based Cipher Suites 132 The fourteen cipher suites describe PSK cipher suites. The first six 133 cipher suites use Camellia with GCM and the next eight cipher suites 134 use the Camellia with SHA-2 family HMAC using asymmetric key 135 encryption or elliptic curves cryptosystem. 137 CipherSuite TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 = {TBD,TBD}; 138 CipherSuite TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 = {TBD,TBD}; 139 CipherSuite TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 = {TBD,TBD}; 140 CipherSuite TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 = {TBD,TBD}; 141 CipherSuite TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 = {TBD,TBD}; 142 CipherSuite TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 = {TBD,TBD}; 143 CipherSuite TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 = {TBD,TBD}; 144 CipherSuite TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 = {TBD,TBD}; 145 CipherSuite TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 = {TBD,TBD}; 146 CipherSuite TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 = {TBD,TBD}; 147 CipherSuite TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 = {TBD,TBD}; 148 CipherSuite TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 = {TBD,TBD}; 149 CipherSuite TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 = {TBD,TBD}; 150 CipherSuite TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 = {TBD,TBD}; 152 3. Cipher Suite Definitions 154 3.1. Key Exchange 156 The RSA, DHE_RSA, DH_RSA, DHE_DSS, DH_DSS, ECDH, DH_anon, and ECDHE 157 key exchanges are performed as defined in RFC5246 [8]. 159 3.2. Cipher 161 This document describes cipher suites based on Camellia cipher using 162 CBC mode and GCM. The details are follows; 164 The CAMELLIA_128_CBC cipher suites use Camellia [4] in CBC mode with 165 a 128-bit key and 128-bit Initialization Vector (IV); the 166 CAMELLIA_256_CBC cipher suites use a 256-bit key and 128-bit IV. 168 Advanced Encryption Standard (AES) [19] authenticated encryption with 169 additional data algorithms, AEAD_AES_128_GCM and AEAD_AES_256_GCM are 170 described in RFC5116 [7]. And AES GCM cipher suites for TLS are 171 described in RFC5288 [9]. AES and Camellia share common 172 characteristics including key sizes and block length. 173 CAMELLIA_128_GCM and CAMELLIA_256_GCM are defined according as those 174 of AES. 176 3.3. PRFs 178 The hash algorithms and PseudoRandom Function (PRF) algorithms for 179 TLS 1.2 [8] SHALL be as follows: 181 a) The cipher suites ending with _SHA256 use HMAC-SHA-256 [1] as the 182 MAC algorithm, The PRF is the TLS PRF [8] with SHA-256 [13] as the 183 hash function, 184 b) The cipher suites ending with _SHA384 use HMAC-SHA-384 [1] as the 185 MAC algorithm, The PRF is the TLS PRF [8] with SHA-384 [13] as the 186 hash function. 188 When used with TLS versions prior to 1.2 (TLS 1.0 [2] and TLS 1.1 189 [6]), the PRF is calculated as specified in the appropriate version 190 of the TLS specification. 192 3.4. PSK cipher suites 194 PSK cipher suites for TLS are described in RFC5487 [11] as to SHA- 195 256/384 and RFC5489 [12] as to ECDHE_PSK. 197 4. Security Considerations 199 At the time of writing this document there are no known weak keys for 200 Camellia. And no security problem has been found on Camellia (see 201 NESSIE [16], CRYPTREC [17], and LNCS 5867[18]). 203 The security considerations in previous RFCs (RFC5116 [7], RFC5289 204 [10], and RFC5487 [11]) apply to this document as well. 206 5. IANA Considerations 208 IANA is requested to allocate the following numbers in the TLS Cipher 209 Suite Registry: 211 CipherSuite TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 = {TBD,TBD}; 212 CipherSuite TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 = {TBD,TBD}; 213 CipherSuite TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 = {TBD,TBD}; 214 CipherSuite TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 = {TBD,TBD}; 215 CipherSuite TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = {TBD,TBD}; 216 CipherSuite TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 = {TBD,TBD}; 217 CipherSuite TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = {TBD,TBD}; 218 CipherSuite TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 = {TBD,TBD}; 219 CipherSuite TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 = {TBD,TBD}; 220 CipherSuite TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 = {TBD,TBD}; 221 CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 = {TBD,TBD}; 222 CipherSuite TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 = {TBD,TBD}; 223 CipherSuite TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 = {TBD,TBD}; 224 CipherSuite TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 = {TBD,TBD}; 225 CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 = {TBD,TBD}; 226 CipherSuite TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 = {TBD,TBD}; 227 CipherSuite TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 = {TBD,TBD}; 228 CipherSuite TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 = {TBD,TBD}; 229 CipherSuite TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 = {TBD,TBD}; 230 CipherSuite TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 = {TBD,TBD}; 231 CipherSuite TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 = {TBD,TBD}; 232 CipherSuite TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 = {TBD,TBD}; 233 CipherSuite TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 = {TBD,TBD}; 234 CipherSuite TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 = {TBD,TBD}; 235 CipherSuite TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 = {TBD,TBD}; 236 CipherSuite TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 = {TBD,TBD}; 237 CipherSuite TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 = {TBD,TBD}; 238 CipherSuite TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 = {TBD,TBD}; 239 CipherSuite TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 = {TBD,TBD}; 240 CipherSuite TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 = {TBD,TBD}; 241 CipherSuite TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 = {TBD,TBD}; 242 CipherSuite TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 = {TBD,TBD}; 243 CipherSuite TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 = {TBD,TBD}; 244 CipherSuite TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 = {TBD,TBD}; 245 CipherSuite TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 = {TBD,TBD}; 246 CipherSuite TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 = {TBD,TBD}; 247 CipherSuite TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 = {TBD,TBD}; 248 CipherSuite TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 = {TBD,TBD}; 249 CipherSuite TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 = {TBD,TBD}; 250 CipherSuite TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 = {TBD,TBD}; 251 CipherSuite TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 = {TBD,TBD}; 252 CipherSuite TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 = {TBD,TBD}; 254 6. References 256 6.1. Normative References 258 [1] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing 259 for Message Authentication", RFC 2104, February 1997. 261 [2] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", 262 RFC 2246, January 1999. 264 [3] Bradner, S., "Key words for use in RFCs to Indicate Requirement 265 Levels", BCP 14, RFC 2119, March 1997. 267 [4] Matsui, M., Nakajima, J., and S. Moriai, "A Description of the 268 Camellia Encryption Algorithm", RFC 3713, April 2004. 270 [5] Eronen, P. and H. Tschofenig, "Pre-Shared Key Ciphersuites for 271 Transport Layer Security (TLS)", RFC 4279, December 2005. 273 [6] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) 274 Protocol Version 1.1", RFC 4346, April 2006. 276 [7] McGrew, D., "An Interface and Algorithms for Authenticated 277 Encryption", RFC 5116, January 2008. 279 [8] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) 280 Protocol Version 1.2", RFC 5246, August 2008. 282 [9] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois Counter 283 Mode (GCM) Cipher Suites for TLS", RFC 5288, August 2008. 285 [10] Rescorla, E., "TLS Elliptic Curve Cipher Suites with SHA-256/ 286 384 and AES Galois Counter Mode (GCM)", RFC 5289, August 2008. 288 [11] Badra, M., "Pre-Shared Key Cipher Suites for TLS with SHA-256/ 289 384 and AES Galois Counter Mode", RFC 5487, March 2009. 291 [12] Badra, M. and I. Hajjeh, "ECDHE_PSK Cipher Suites for Transport 292 Layer Security (TLS)", RFC 5489, March 2009. 294 [13] National Institute of Standards and Technology, "Secure Hash 295 Standard (SHS)", FIPS PUB 180, October 2008, . 298 [14] Dworkin, M., "Recommendation for Block Cipher Modes of 299 Operation: Galois/Counter Mode (GCM) for Confidentiality and 300 Authentication", April 2006, . 303 6.2. Informative References 305 [15] Kato, A., Kanda, M., and S. Kanno, "Camellia Cipher Suites for 306 TLS", RFC 5932, June 2010. 308 [16] "The NESSIE project (New European Schemes for Signatures, 309 Integrity and Encryption)", 310 . 312 [17] "CRYPTREC (Cryptography Research and Evaluation Committees)", 313 . 315 [18] Mala, H., Shakiba, M., and M. Dakhil-alian, "New Results on 316 Impossible Differential Cryptanalysis of Reduced Round 317 Camellia-128", November 2009, 318 . 320 [19] National Institute of Standards and Technology, "Advanced 321 Encryption Standard (AES)", FIPS PUB 197, November 2001, 322 . 324 Authors' Addresses 326 Satoru Kanno 327 NTT Software Corporation 329 Phone: +81-45-212-9803 330 Fax: +81-45-212-9800 331 Email: kanno.satoru@po.ntts.co.jp 333 Masayuki Kanda 334 NTT 336 Phone: +81-422-59-3456 337 Fax: +81-422-59-4015 338 Email: kanda.masayuki@lab.ntt.co.jp