idnits 2.17.1 draft-ietf-tls-ecc-new-mac-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 16. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 255. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 266. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 273. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 279. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (May 9, 2008) is 5828 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 4492 (Obsoleted by RFC 8422) Summary: 2 errors (**), 0 flaws (~~), 1 warning (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group E. Rescorla 3 Internet-Draft RTFM, Inc. 4 Intended status: Informational May 9, 2008 5 Expires: November 10, 2008 7 TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter 8 Mode 9 draft-ietf-tls-ecc-new-mac-07.txt 11 Status of this Memo 13 By submitting this Internet-Draft, each author represents that any 14 applicable patent or other IPR claims of which he or she is aware 15 have been or will be disclosed, and any of which he or she becomes 16 aware will be disclosed, in accordance with Section 6 of BCP 79. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as Internet- 21 Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt. 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html. 34 This Internet-Draft will expire on November 10, 2008. 36 Copyright Notice 38 Copyright (C) The IETF Trust (2008). 40 Abstract 42 RFC 4492 describes elliptic curve cipher suites for Transport Layer 43 Security (TLS). However, all those cipher suites use SHA-1 as their 44 MAC algorithm. This document describes sixteen new cipher suites for 45 TLS which specify stronger digest algorithms. Eight use HMAC with 46 SHA-256 or SHA-384 and eight use AES in Galois Counter Mode (GCM). 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 51 2. Conventions Used In This Document . . . . . . . . . . . . . . . 3 52 3. Cipher Suites . . . . . . . . . . . . . . . . . . . . . . . . . 3 53 3.1. HMAC-based Cipher Suites . . . . . . . . . . . . . . . . . 3 54 3.2. Galois Counter Mode-based Cipher Suites . . . . . . . . . . 4 55 4. Security Considerations . . . . . . . . . . . . . . . . . . . . 4 56 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 4 57 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 5 58 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 5 59 7.1. Normative References . . . . . . . . . . . . . . . . . . . 5 60 7.2. Informative References . . . . . . . . . . . . . . . . . . 6 61 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 6 62 Intellectual Property and Copyright Statements . . . . . . . . . . 7 64 1. Introduction 66 RFC 4492 [RFC4492] describes Elliptic Curve Cryptography (ECC) cipher 67 suites for Transport Layer Security (TLS). However, all of the RFC 68 4492 suites use HMAC-SHA1 as their MAC algorithm. Due to recent 69 analytic work on SHA-1 [Wang05], the IETF is gradually moving away 70 from SHA-1 and towards stronger hash algorithms. This document 71 specifies TLS ECC cipher suites which use SHA-256 and SHA-384 [SHS] 72 rather than SHA-1. 74 TLS 1.2 [I-D.ietf-tls-rfc4346-bis], adds support for authenticated 75 encryption with additional data (AEAD) cipher modes [RFC5116]. This 76 document also specifies a set of ECC cipher suites using one such 77 mode, Galois Counter Mode (GCM) [GCM]. Another document 78 [I-D.ietf-tls-rsa-aes-gcm], provides support for GCM with other key 79 establishment methods. 81 2. Conventions Used In This Document 83 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 84 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 85 document are to be interpreted as described in [RFC2119]. 87 3. Cipher Suites 89 This document defines 16 new cipher suites to be added to TLS. All 90 use Elliptic Curve Cryptography for key exchange and digital 91 signature, as defined in RFC 4492. 93 3.1. HMAC-based Cipher Suites 95 The first eight cipher suites use AES [AES] in CBC [CBC] mode with an 96 HMAC-based MAC: 98 CipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = {0xXX,XX}; 99 CipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = {0xXX,XX}; 100 CipherSuite TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 = {0xXX,XX}; 101 CipherSuite TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 = {0xXX,XX}; 102 CipherSuite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = {0xXX,XX}; 103 CipherSuite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = {0xXX,XX}; 104 CipherSuite TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 = {0xXX,XX}; 105 CipherSuite TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 = {0xXX,XX}; 107 These eight cipher suites are the same as the corresponding cipher 108 suites in RFC 4492 (with names ending in "_SHA" in place of "_SHA256" 109 or "_SHA384"), except for the hash and PRF algorithms. 111 These SHALL be as follows: 113 o For cipher suites ending with _SHA256, the PRF is the TLS PRF 114 [I-D.ietf-tls-rfc4346-bis] with SHA-256 as the hash function. The 115 MAC is HMAC [RFC2104] with SHA-256 as the hash function. 116 o For cipher suites ending with _SHA384, the PRF is the TLS PRF 117 [I-D.ietf-tls-rfc4346-bis] with SHA-384 as the hash function. The 118 MAC is HMAC [RFC2104] with SHA-384 as the hash function. 120 3.2. Galois Counter Mode-based Cipher Suites 122 The second eight cipher suites use the same asymmetric algorithms as 123 those in the previous section but use the new authenticated 124 encryption modes defined in TLS 1.2 with AES in Galois Counter Mode 125 (GCM) [GCM]: 127 CipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = {0xXX,XX}; 128 CipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = {0xXX,XX}; 129 CipherSuite TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = {0xXX,XX}; 130 CipherSuite TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 = {0xXX,XX}; 131 CipherSuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = {0xXX,XX}; 132 CipherSuite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = {0xXX,XX}; 133 CipherSuite TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = {0xXX,XX}; 134 CipherSuite TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 = {0xXX,XX}; 136 These cipher suites use authenticated encryption with additional data 137 algorithms AEAD_AES_128_GCM and AEAD_AES_256_GCM described in 138 [RFC5116]. GCM is used as described in [I-D.ietf-tls-rsa-aes-gcm]. 140 The PRFs SHALL be as follows: 142 o For cipher suites ending with _SHA256, the PRF is the TLS PRF 143 [I-D.ietf-tls-rfc4346-bis] with SHA-256 as the hash function. 144 o For cipher suites ending with _SHA384, the PRF is the TLS PRF 145 [I-D.ietf-tls-rfc4346-bis] with SHA-384 as the hash function. 147 4. Security Considerations 149 The security considerations in RFC 4346, RFC 4492, and 150 [I-D.ietf-tls-rsa-aes-gcm] apply to this document as well. In 151 addition, as described in [I-D.ietf-tls-rsa-aes-gcm], these cipher 152 suites may only be used with TLS 1.2 or greater. 154 5. IANA Considerations 156 IANA has assigned the following values for these cipher suites: 158 CipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = {0xXX,XX}; 159 CipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = {0xXX,XX}; 160 CipherSuite TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 = {0xXX,XX}; 161 CipherSuite TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 = {0xXX,XX}; 162 CipherSuite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = {0xXX,XX}; 163 CipherSuite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = {0xXX,XX}; 164 CipherSuite TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 = {0xXX,XX}; 165 CipherSuite TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 = {0xXX,XX}; 166 CipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = {0xXX,XX}; 167 CipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = {0xXX,XX}; 168 CipherSuite TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = {0xXX,XX}; 169 CipherSuite TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 = {0xXX,XX}; 170 CipherSuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = {0xXX,XX}; 171 CipherSuite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = {0xXX,XX}; 172 CipherSuite TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = {0xXX,XX}; 173 CipherSuite TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 = {0xXX,XX}; 175 6. Acknowledgements 177 This work was supported by the US Department of Defense. 179 David McGrew, Pasi Eronen, and Alfred Hoenes provided reviews of this 180 document. 182 7. References 184 7.1. Normative References 186 [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- 187 Hashing for Message Authentication", RFC 2104, 188 February 1997. 190 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 191 Requirement Levels", BCP 14, RFC 2119, March 1997. 193 [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. 194 Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites 195 for Transport Layer Security (TLS)", RFC 4492, May 2006. 197 [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated 198 Encryption", RFC 5116, January 2008. 200 [I-D.ietf-tls-rfc4346-bis] 201 Dierks, T. and E. Rescorla, "The Transport Layer Security 202 (TLS) Protocol Version 1.2", draft-ietf-tls-rfc4346-bis-10 203 (work in progress), March 2008. 205 [I-D.ietf-tls-rsa-aes-gcm] 206 Salowey, J., Choudhury, A., and D. McGrew, "AES-GCM Cipher 207 Suites for TLS", draft-ietf-tls-rsa-aes-gcm-03 (work in 208 progress), April 2008. 210 [AES] National Institute of Standards and Technology, 211 "Specification for the Advanced Encryption Standard 212 (AES)", FIPS 197, November 2001. 214 [SHS] National Institute of Standards and Technology, "Secure 215 Hash Standard", FIPS 180-2, August 2002. 217 [CBC] National Institute of Standards and Technology, 218 "Recommendation for Block Cipher Modes of Operation - 219 Methods and Techniques", SP 800-38A, December 2001. 221 [GCM] National Institute of Standards and Technology, 222 "Recommendation for Block Cipher Modes of Operation: 223 Galois/Counter Mode (GCM) for Confidentiality and 224 Authentication", SP 800-38D, November 2007. 226 7.2. Informative References 228 [Wang05] Wang, X., Yin, Y., and H. Yu, "Finding Collisions in the 229 Full SHA-1", CRYPTO 2005, August 2005. 231 Author's Address 233 Eric Rescorla 234 RTFM, Inc. 235 2064 Edgewood Drive 236 Palo Alto 94303 237 USA 239 Email: ekr@rtfm.com 241 Full Copyright Statement 243 Copyright (C) The IETF Trust (2008). 245 This document is subject to the rights, licenses and restrictions 246 contained in BCP 78, and except as set forth therein, the authors 247 retain all their rights. 249 This document and the information contained herein are provided on an 250 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 251 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 252 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 253 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 254 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 255 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 257 Intellectual Property 259 The IETF takes no position regarding the validity or scope of any 260 Intellectual Property Rights or other rights that might be claimed to 261 pertain to the implementation or use of the technology described in 262 this document or the extent to which any license under such rights 263 might or might not be available; nor does it represent that it has 264 made any independent effort to identify any such rights. Information 265 on the procedures with respect to rights in RFC documents can be 266 found in BCP 78 and BCP 79. 268 Copies of IPR disclosures made to the IETF Secretariat and any 269 assurances of licenses to be made available, or the result of an 270 attempt made to obtain a general license or permission for the use of 271 such proprietary rights by implementers or users of this 272 specification can be obtained from the IETF on-line IPR repository at 273 http://www.ietf.org/ipr. 275 The IETF invites any interested party to bring to its attention any 276 copyrights, patents or patent applications, or other proprietary 277 rights that may cover technology that may be required to implement 278 this standard. Please address the information to the IETF at 279 ietf-ipr@ietf.org. 281 Acknowledgment 283 Funding for the RFC Editor function is provided by the IETF 284 Administrative Support Activity (IASA).