idnits 2.17.1 draft-nsri-tls-aria-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 1, 2010) is 4893 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Unused Reference: 'RFC5289' is defined on line 299, but no explicit reference was found in the text ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group W. Kim 3 Internet Draft J. Lee 4 Intended status: Informational J. Park 5 Expires: May 30, 2011 D. Kwon 6 NSRI 7 December 1, 2010 9 Addition of the ARIA Cipher Suites to Transport Layer Security (TLS) 10 draft-nsri-tls-aria-01.txt 12 Status of this Memo 14 This Internet-Draft is submitted in full conformance with the 15 provisions of BCP 78 and BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six 23 months and may be updated, replaced, or obsoleted by other documents 24 at any time. It is inappropriate to use Internet-Drafts as 25 reference material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html 33 This Internet-Draft will expire on May 30, 2011. 35 Copyright Notice 37 Copyright (c) 2010 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (http://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with 45 respect to this document. 47 Abstract 49 This document specifies a set of cipher suites for the Transport 50 Security Layer (TLS) protocol to support the ARIA encryption 51 algorithm as a block cipher. 53 1. Introduction 55 This document proposes the addition of new cipher suites to the 56 Transport Layer Security (TLS) [RFC5246] protocol to support the 57 ARIA [RFC5794] encryption algorithm as a block cipher algorithm. The 58 proposed cipher suites include variants using SHA-2 family of 59 cryptographic hash functions and ARIA Galois counter mode. Elliptic 60 curve cipher suites and pre-shared key (PSK) cipher suites are also 61 included. 63 The cipher suites with SHA-1 are not included in this document. Due 64 to recent analytic work on SHA-1 [Wang05], the IETF is gradually 65 moving away from SHA-1 and towards stronger hash algorithms. 67 1.1. ARIA 69 ARIA is a general-purpose block cipher algorithm developed by Korean 70 cryptographers in 2003. It is an iterated block cipher with 128-, 71 192-, and 256-bit keys and encrypts 128-bit blocks in 12, 14, and 16 72 rounds, depending on the key size. It is secure and suitable for 73 most software and hardware implementations on 32-bit and 8-bit 74 processors. It was established as a Korean standard block cipher 75 algorithm in 2004 [ARIAKS] and has been widely used in Korea, 76 especially for government-to-public services. It was included in 77 PKCS #11 in 2007 [ARIAPKCS]. The algorithm specification and object 78 identifiers are described in [RFC5794]. 80 1.2. Terminology 82 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 83 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 84 document are to be interpreted as described in [RFC2119]. 86 2. Proposed Cipher Suites 88 2.1. HMAC-based Cipher Suites 90 The first twenty cipher suites use ARIA [RFC5794] in Cipher Block 91 Chaining (CBC) mode with an HMAC-based MAC. Eight out of twenty use 92 elliptic curves. 94 CipherSuite TLS_RSA_WITH_ARIA_128_CBC_SHA256 = { TBD,TBD }; 95 CipherSuite TLS_RSA_WITH_ARIA_256_CBC_SHA384 = { TBD,TBD }; 96 CipherSuite TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256 = { TBD,TBD }; 97 CipherSuite TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384 = { TBD,TBD }; 98 CipherSuite TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256 = { TBD,TBD }; 99 CipherSuite TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384 = { TBD,TBD }; 100 CipherSuite TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 = { TBD,TBD }; 101 CipherSuite TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 = { TBD,TBD }; 102 CipherSuite TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 = { TBD,TBD }; 103 CipherSuite TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 = { TBD,TBD }; 104 CipherSuite TLS_DH_anon_WITH_ARIA_128_CBC_SHA256 = { TBD,TBD }; 105 CipherSuite TLS_DH_anon_WITH_ARIA_256_CBC_SHA384 = { TBD,TBD }; 107 CipherSuite TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 = { TBD,TBD }; 108 CipherSuite TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 = { TBD,TBD }; 109 CipherSuite TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 = { TBD,TBD }; 110 CipherSuite TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 = { TBD,TBD }; 111 CipherSuite TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 = { TBD,TBD }; 112 CipherSuite TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 = { TBD,TBD }; 113 CipherSuite TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 = { TBD,TBD }; 114 CipherSuite TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 = { TBD,TBD }; 116 2.2. Galois Counter Mode-based Cipher Suites 118 The next twenty cipher suites use the same asymmetric algorithms as 119 those in the previous section but use the authenticated encryption 120 modes defined in TLS 1.2 with the ARIA in Galois Counter Mode (GCM) 121 [GCM]. 123 CipherSuite TLS_RSA_WITH_ARIA_128_GCM_SHA256 = { TBD,TBD }; 124 CipherSuite TLS_RSA_WITH_ARIA_256_GCM_SHA384 = { TBD,TBD }; 125 CipherSuite TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 = { TBD,TBD }; 126 CipherSuite TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 = { TBD,TBD }; 127 CipherSuite TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256 = { TBD,TBD }; 128 CipherSuite TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384 = { TBD,TBD }; 129 CipherSuite TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 = { TBD,TBD }; 130 CipherSuite TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 = { TBD,TBD }; 131 CipherSuite TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256 = { TBD,TBD }; 132 CipherSuite TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384 = { TBD,TBD }; 133 CipherSuite TLS_DH_anon_WITH_ARIA_128_GCM_SHA256 = { TBD,TBD }; 134 CipherSuite TLS_DH_anon_WITH_ARIA_256_GCM_SHA384 = { TBD,TBD }; 136 CipherSuite TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 = { TBD,TBD }; 137 CipherSuite TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 = { TBD,TBD }; 138 CipherSuite TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 = { TBD,TBD }; 139 CipherSuite TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 = { TBD,TBD }; 140 CipherSuite TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 = { TBD,TBD }; 141 CipherSuite TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 = { TBD,TBD }; 142 CipherSuite TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 = { TBD,TBD }; 143 CipherSuite TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 = { TBD,TBD }; 145 2.3. Pre-shared key (PSK) Cipher Suites 147 The next twelve cipher suites describe pre-shared key cipher suites. 148 The first six cipher suites use HMAC-based MAC and the next six 149 cipher suites use the ARIA Galois Counter Mode. 151 CipherSuite TLS_PSK_WITH_ARIA_128_CBC_SHA256 = { TBD,TBD }; 152 CipherSuite TLS_PSK_WITH_ARIA_256_CBC_SHA384 = { TBD,TBD }; 153 CipherSuite TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 = { TBD,TBD }; 154 CipherSuite TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 = { TBD,TBD }; 155 CipherSuite TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 = { TBD,TBD }; 156 CipherSuite TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 = { TBD,TBD }; 157 CipherSuite TLS_PSK_WITH_ARIA_128_GCM_SHA256 = { TBD,TBD }; 158 CipherSuite TLS_PSK_WITH_ARIA_256_GCM_SHA384 = { TBD,TBD }; 159 CipherSuite TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 = { TBD,TBD }; 160 CipherSuite TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 = { TBD,TBD }; 161 CipherSuite TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 = { TBD,TBD }; 162 CipherSuite TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 = { TBD,TBD }; 164 3. Cipher Suite Definitions 166 3.1. Key Exchange 168 The RSA, DHE_RSA, DH_RSA, DHE_DSS, DH_DSS, DH_anon, ECDH and ECDHE 169 key exchanges are performed as defined in [RFC5246]. 171 3.2. Cipher 173 The ARIA_128_CBC cipher suites use ARIA [RFC5794] in CBC mode with a 174 128-bit key and 128-bit IV; the ARIA_256_CBC cipher suites use a 175 256-bit key and 128-bit IV. 177 AES authenticated encryption with additional data algorithms, 178 AEAD_AES_128_GCM and AEAD_AES_256_GCM are described in [RFC5116]. 179 And AES GCM cipher suites for TLS are described in [RFC5288]. AES 180 and ARIA share common characteristics including key sizes and block 181 length. ARIA_128_GCM and ARIA_256_GCM are defined according as those 182 of AES. 184 3.3. PRFs 186 The PRFs SHALL be as follows: 188 a. For cipher suites ending with _SHA256, the PRF is the TLS 189 PRF[RFC5246] using SHA-256 as the hash function. 191 b. For cipher suites ending with _SHA384, the PRF is the TLS PRF 192 [RFC5246] using SHA-384 as the hash function. 194 3.4. Pre-shared key (PSK) cipher suites 196 Pre-shared key cipher suites for TLS are described in [RFC4279], 197 [RFC4785], [RFC5487] and [RFC5489]. 199 4. Security Considerations 201 At the time of writing this document no security problem has been 202 found on ARIA (see [YWL]). 204 The security considerations in previous RFCs [RFC3711, RFC4279, 205 RFC4785, RFC5116, RFC5288, RFC5289, RFC5487] and [GCM] apply to this 206 document as well. 208 5. IANA Considerations 210 IANA is requested to allocate the following numbers in the TLS 211 Cipher Suite Registry: 213 CipherSuite TLS_RSA_WITH_ARIA_128_CBC_SHA256 = { TBD,TBD }; 214 CipherSuite TLS_RSA_WITH_ARIA_256_CBC_SHA384 = { TBD,TBD }; 215 CipherSuite TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256 = { TBD,TBD }; 216 CipherSuite TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384 = { TBD,TBD }; 217 CipherSuite TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256 = { TBD,TBD }; 218 CipherSuite TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384 = { TBD,TBD }; 219 CipherSuite TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 = { TBD,TBD }; 220 CipherSuite TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 = { TBD,TBD }; 221 CipherSuite TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 = { TBD,TBD }; 222 CipherSuite TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 = { TBD,TBD }; 223 CipherSuite TLS_DH_anon_WITH_ARIA_128_CBC_SHA256 = { TBD,TBD }; 224 CipherSuite TLS_DH_anon_WITH_ARIA_256_CBC_SHA384 = { TBD,TBD }; 226 CipherSuite TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 = { TBD,TBD }; 227 CipherSuite TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 = { TBD,TBD }; 228 CipherSuite TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 = { TBD,TBD }; 229 CipherSuite TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 = { TBD,TBD }; 230 CipherSuite TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 = { TBD,TBD }; 231 CipherSuite TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 = { TBD,TBD }; 232 CipherSuite TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 = { TBD,TBD }; 233 CipherSuite TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 = { TBD,TBD }; 234 CipherSuite TLS_RSA_WITH_ARIA_128_GCM_SHA256 = { TBD,TBD }; 235 CipherSuite TLS_RSA_WITH_ARIA_256_GCM_SHA384 = { TBD,TBD }; 236 CipherSuite TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 = { TBD,TBD }; 237 CipherSuite TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 = { TBD,TBD }; 238 CipherSuite TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256 = { TBD,TBD }; 239 CipherSuite TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384 = { TBD,TBD }; 240 CipherSuite TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 = { TBD,TBD }; 241 CipherSuite TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 = { TBD,TBD }; 242 CipherSuite TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256 = { TBD,TBD }; 243 CipherSuite TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384 = { TBD,TBD }; 244 CipherSuite TLS_DH_anon_WITH_ARIA_128_GCM_SHA256 = { TBD,TBD }; 245 CipherSuite TLS_DH_anon_WITH_ARIA_256_GCM_SHA384 = { TBD,TBD }; 247 CipherSuite TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 = { TBD,TBD }; 248 CipherSuite TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 = { TBD,TBD }; 249 CipherSuite TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 = { TBD,TBD }; 250 CipherSuite TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 = { TBD,TBD }; 251 CipherSuite TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 = { TBD,TBD }; 252 CipherSuite TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 = { TBD,TBD }; 253 CipherSuite TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 = { TBD,TBD }; 254 CipherSuite TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 = { TBD,TBD }; 256 CipherSuite TLS_PSK_WITH_ARIA_128_CBC_SHA256 = { TBD,TBD }; 257 CipherSuite TLS_PSK_WITH_ARIA_256_CBC_SHA384 = { TBD,TBD }; 258 CipherSuite TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 = { TBD,TBD }; 259 CipherSuite TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 = { TBD,TBD }; 260 CipherSuite TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 = { TBD,TBD }; 261 CipherSuite TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 = { TBD,TBD }; 262 CipherSuite TLS_PSK_WITH_ARIA_128_GCM_SHA256 = { TBD,TBD }; 263 CipherSuite TLS_PSK_WITH_ARIA_256_GCM_SHA384 = { TBD,TBD }; 264 CipherSuite TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 = { TBD,TBD }; 265 CipherSuite TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 = { TBD,TBD }; 266 CipherSuite TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 = { TBD,TBD }; 267 CipherSuite TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 = { TBD,TBD }; 269 6. References 271 6.1. Normative References 273 [GCM] Dworkin, M., "Recommendation for Block Cipher Modes of 274 Operation: Galois/Counter Mode (GCM) and GMAC", National 275 Institute of Standards and Technology SP 800-38D, 276 November 2007. 278 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 279 Requirement Levels", BCP 14, RFC 2119, March 1997. 281 [RFC4279] Eronen, P. and H. Tschofenig, "Pre-Shared Key 282 Ciphersuites for Transport Layer Security (TLS)", RFC 283 4279, December 2005. 285 [RFC4785] Blumenthal, U. and P. Goel, "Pre-Shared Key (PSK) 286 Ciphersuites with NULL Encryption for Transport Layer 287 Security (TLS)", RFC 4785, January 2007. 289 [RFC5116] McGrew, D., "An Interface and Algorithms for 290 Authenticated Encryption", RFC 5116, January 2008. 292 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer 293 Security (TLS) Protocol Version 1.2", RFC 5246, August 294 2008. 296 [RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES-GCM 297 Cipher Suites for TLS", RFC 5288, August 2008. 299 [RFC5289] Rescorla, E., TLS Elliptic Curve Cipher Suites with SHA- 300 256/384 and AES Galois Counter Mode (GCM), August 2008. 302 [RFC5487] Badra, M., "Pre-Shared Key Cipher Suites for TLS with 303 SHA-256/384 and AES Galois Counter Mode", RFC 5487, 304 March 2009. 306 [RFC5489] Barda, M. and Hajjeh, I., ECDHE_PSK Cipher Suites for 307 Transport Layer Security (TLS), RFC 5489, March 2009. 309 [RFC5794] Lee, J., Lee, J., Kim, J., Kwon, D. and Kim, C., "A 310 Description of the ARIA Encryption Algorithm", RFC 5794, 311 March 2010. 313 6.2. Informative References 315 [YWL] Li, Y., Wu, W. and Zhang, L., "Integral attacks on 316 reduced-round ARIA block cipher", ISPEC 2010, LNCS, 317 vol.6047, pp.19-29, 2010. 319 [ARIAKS] Korean Agency for Technology and Standards (KATS), "128 320 bit block encryption algorithm ARIA - Part 1: General", 321 KS X 1213-1:2009, December 2009 (In Korean). 323 [ARIAPKCS] RSA Laboratories, PKCS #11 v2.20 Amendment 3 Revision 1: 324 Additional PKCS #11 Mechanisms, January 2007. 326 [Wang05] Wang, X., Yin, Y., and H. Yu, "Finding Collisions in the 327 Full SHA-1", CRYPTO 2005, August 2005. 329 Authors' Addresses 331 Woo-Hwan Kim 332 National Security Research Institute 333 P.O.Box 1, Yuseong, Daejeon, 305-350, Korea 334 Email: whkim5@ensec.re.kr 336 Jungkeun Lee 337 National Security Research Institute 338 P.O.Box 1, Yuseong, Daejeon, 305-350, Korea 339 Email: jklee@ensec.re.kr 341 Je-Hong Park 342 National Security Research Institute 343 P.O.Box 1, Yuseong, Daejeon, 305-350, Korea 344 Email: jhpark@ensec.re.kr 346 Daesung Kwon 347 National Security Research Institute 348 P.O.Box 1, Yuseong, Daejeon, 305-350, Korea 349 Email: ds_kwon@ensec.re.kr