idnits 2.17.1 draft-mcgrew-tls-aes-ccm-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (May 8, 2012) is 4368 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'AES' -- Possible downref: Non-RFC (?) normative reference: ref. 'CCM' ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) ** Obsolete normative reference: RFC 6347 (Obsoleted by RFC 9147) Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 TLS Working Group D. McGrew 3 Internet-Draft Cisco Systems 4 Intended status: Standards Track D. Bailey 5 Expires: November 9, 2012 RSA, the Security Division of EMC 6 May 8, 2012 8 AES-CCM Cipher Suites for TLS 9 draft-mcgrew-tls-aes-ccm-04 11 Abstract 13 This memo describes the use of the Advanced Encryption Standard (AES) 14 in the Counter and CBC-MAC Mode (CCM) of operation within Transport 15 Layer Security (TLS) and Datagram TLS (DTLS) to provide 16 confidentiality and data origin authentication. The AES-CCM 17 algorithm is amenable to compact implementations, making it suitable 18 for constrained environments. 20 Status of this Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on November 9, 2012. 37 Copyright Notice 39 Copyright (c) 2012 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 2. Conventions Used In This Document . . . . . . . . . . . . . . . 3 58 3. RSA Based AES-CCM Cipher Suites . . . . . . . . . . . . . . . . 3 60 4. PSK Based AES-CCM Cipher Suites . . . . . . . . . . . . . . . . 4 62 5. TLS Versions . . . . . . . . . . . . . . . . . . . . . . . . . 5 64 6. New AEAD algorithms . . . . . . . . . . . . . . . . . . . . . . 5 65 6.1. AES-128-CCM with an 8-octet Integrity Check Value (ICV) . . 5 66 6.2. AES-256-CCM with a 8-octet Integrity Check Value (ICV) . . 6 68 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 70 8. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 71 8.1. Perfect Forward Secrecy . . . . . . . . . . . . . . . . . . 6 72 8.2. Counter Reuse . . . . . . . . . . . . . . . . . . . . . . . 6 74 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 6 76 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 77 10.1. Normative References . . . . . . . . . . . . . . . . . . . 7 78 10.2. Informative References . . . . . . . . . . . . . . . . . . 7 80 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 8 82 1. Introduction 84 This document describes the use of Advanced Encryption Standard (AES) 85 [AES] in Counter with CBC-MAC Mode (CCM) [CCM] in several TLS 86 ciphersuites. AES-CCM provides both authentication and 87 confidentiality and uses as its only primitive the AES encrypt 88 operation (the AES decrypt operation is not needed). This makes it 89 amenable to compact implementations, which is advantageous in 90 constrained environments. Of course, adoption outside of constrained 91 environments is necessary to enable interoperability, such as that 92 between web clients and embedded servers, or between embedded clients 93 and web servers. The use of AES-CCM has been specified for IPsec ESP 94 [RFC4309] and 802.15.4 wireless networks [IEEE802154]. 96 Authenticated encryption, in addition to providing confidentiality 97 for the plaintext that is encrypted, provides a way to check its 98 integrity and authenticity. Authenticated Encryption with Associated 99 Data, or AEAD [RFC5116], adds the ability to check the integrity and 100 authenticity of some associated data that is not encrypted. This 101 note utilizes the AEAD facility within TLS 1.2 [RFC5246] and the AES- 102 CCM-based AEAD algorithms defined in [RFC5116]. Additional AEAD 103 algorithms are defined, which use AES-CCM but which have shorter 104 authentication tags, and therefore are more suitable for use across 105 networks in which bandwidth is constrained and message sizes may be 106 small. 108 The ciphersuites defined in this document use RSA or Pre-Shared Key 109 (PSK) as their key establishment mechanism; these ciphersuites can be 110 used with DTLS [RFC6347]. Since the abiltiy to use AEAD ciphers was 111 introduced in DTLS version 1.2, the ciphersuites defined in this note 112 cannot be used with earlier versions of that protocol. 114 2. Conventions Used In This Document 116 he key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 117 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 118 document are to be interpreted as described in [RFC2119] 120 3. RSA Based AES-CCM Cipher Suites 122 The ciphersuites defined in this document are based on the the AES- 123 CCM authenticated encryption with associated data (AEAD) algorithms 124 AEAD_AES_128_CCM and AEAD_AES_256_CCM described in [RFC5116]. The 125 following RSA-based ciphersuites are defined: 127 CipherSuite TLS_RSA_WITH_AES_128_CCM = {TBD1,TBD1} 128 CipherSuite TLS_RSA_WITH_AES_256_CCM = {TBD2,TBD2) 129 CipherSuite TLS_DHE_RSA_WITH_AES_128_CCM = {TBD3,TBD3} 130 CipherSuite TLS_DHE_RSA_WITH_AES_256_CCM = {TBD4,TBD4} 131 CipherSuite TLS_RSA_WITH_AES_128_CCM_8 = {TBD5,TBD5} 132 CipherSuite TLS_RSA_WITH_AES_256_CCM_8 = {TBD6,TBD6) 133 CipherSuite TLS_DHE_RSA_WITH_AES_128_CCM_8 = {TBD7,TBD7} 134 CipherSuite TLS_DHE_RSA_WITH_AES_256_CCM_8 = {TBD8,TBD8} 136 These ciphersuites make use of the AEAD capability in TLS 1.2 137 [RFC5246]. Each uses AES-CCM; those that end in "_8" have an 8-octet 138 authentication tag, while the other ciphersuites have 16-octet 139 authentication tags. 141 The HMAC truncation option described in Section 7 of [RFC6066] (which 142 negotiates the "truncated_hmac" TLS extension) does not have an 143 effect on cipher suites that do not use HMAC. 145 The "nonce" input to the AEAD algorithm is exactly that of [RFC5288]: 146 the "nonce" SHALL be 12 bytes long and is constructed as follows: 148 struct { 149 case client: 150 uint32 client_write_IV; // low order 32-bits 151 case server: 152 uint32 server_write_IV; // low order 32-bits 153 uint64 seq_num; 154 } CCMNonce. 156 In DTLS, the 64-bit seq_num is the 16-bit epoch concatenated with the 157 48-bit seq_num. 159 These ciphersuites make use of the default TLS 1.2 Pseudorandom 160 Function (PRF), which uses HMAC with the SHA-256 hash function. The 161 RSA and RSA-DHE key exchange is performed as defined in [RFC5246]. 163 4. PSK Based AES-CCM Cipher Suites 165 As in Section Section 3, these ciphersuites follow [RFC5116]. The 166 PSK and DHE_PSK key exchange is performed as in [RFC4279]. The 167 following ciphersuites are defined: 169 CipherSuite TLS_PSK_WITH_AES_128_CCM = {TBD9,TBD9} 170 CipherSuite TLS_PSK_WITH_AES_256_CCM = {TBD10,TBD10) 171 CipherSuite TLS_DHE_PSK_WITH_AES_128_CCM = {TBD11,TBD11} 172 CipherSuite TLS_DHE_PSK_WITH_AES_256_CCM = {TBD12,TBD12} 173 CipherSuite TLS_PSK_WITH_AES_128_CCM_8 = {TBD13,TBD13} 174 CipherSuite TLS_PSK_WITH_AES_256_CCM_8 = {TBD14,TBD14) 175 CipherSuite TLS_PSK_DHE_WITH_AES_128_CCM_8 = {TBD15,TBD15} 176 CipherSuite TLS_PSK_DHE_WITH_AES_256_CCM_8 = {TBD16,TBD16} 178 The "nonce" input to the AEAD algorithm is defined as in Section 179 Section 3. 181 These ciphersuites make use of the default TLS 1.2 Pseudorandom 182 Function (PRF), which uses HMAC with the SHA-256 hash function. The 183 PSK and PSK-DHE key exchange is performed as defined in [RFC5487]. 185 5. TLS Versions 187 These ciphersuites make use of the authenticated encryption with 188 additional data (AEAD) defined in TLS 1.2 [RFC5288]. Earlier 189 versions of TLS do not have support for AEAD; for instance, the 190 TLSCiphertext structure does not have the "aead" option in TLS 1.1. 191 Consequently, these ciphersuites MUST NOT be negotiated in older 192 versions of TLS. Clients MUST NOT offer these cipher suites if they 193 do not offer TLS 1.2 or later. Servers which select an earlier 194 version of TLS MUST NOT select one of these cipher suites. Because 195 TLS has no way for the client to indicate that it supports TLS 1.2 196 but not earlier, a non-compliant server might potentially negotiate 197 TLS 1.1 or earlier and select one of the cipher suites in this 198 document. Clients MUST check the TLS version and generate a fatal 199 "illegal_parameter" alert if they detect an incorrect version. 201 6. New AEAD algorithms 203 The following AEAD algorithms are defined: 204 AEAD_AES_128_CCM_8 = TBD17 205 AEAD_AES_256_CCM_8 = TBD18 207 6.1. AES-128-CCM with an 8-octet Integrity Check Value (ICV) 209 The AEAD_AES_128_CCM_8 authenticated encryption algorithm is 210 identical to the AEAD_AES_128_CCM algorithm (see Section 5.3 of 211 [RFC5116]), except that it uses eight octets for authentication, 212 instead of the full sixteen octets used by AEAD_AES_128_CCM. The 213 AEAD_AES_128_CCM_8 ciphertext consists of the ciphertext output of 214 the CCM encryption operation concatenated with the 8-octet 215 authentication tag output of the CCM encryption operation. Test 216 cases are provided in [CCM]. The input and output lengths are as for 217 AEAD_AES_128_CCM. An AEAD_AES_128_CCM_8 ciphertext is exactly 8 218 octets longer than its corresponding plaintext. 220 6.2. AES-256-CCM with a 8-octet Integrity Check Value (ICV) 222 The AEAD_AES_256_CCM_8 authenticated encryption algorithm is 223 identical to the AEAD_AES_256_CCM algorithm (see Section 5.4 of 224 [RFC5116]), except that it uses eight octets for authentication, 225 instead of the full sixteen octets used by AEAD_AES_256_CCM. The 226 AEAD_AES_256_CCM_8 ciphertext consists of the ciphertext output of 227 the CCM encryption operation concatenated with the 8-octet 228 authentication tag output of the CCM encryption operation. Test 229 cases are provided in [CCM]. The input and output lengths are as as 230 for AEAD_AES_128_CCM. An AEAD_AES_128_CCM_8 ciphertext is exactly 8 231 octets longer than its corresponding plaintext. 233 7. IANA Considerations 235 IANA is requested to assign the values for the ciphersuites defined 236 in Section 3 and Section 4 from the TLS and DTLS CipherSuite 237 registries, and the values of the AEAD algorithms defined in 238 Section 6 from the AEAD algorithm registry. IANA, please note that 239 the DTLS-OK column should be marked as "Y" for each of these 240 algorithms. 242 8. Security Considerations 244 8.1. Perfect Forward Secrecy 246 The perfect forward secrecy properties of RSA based TLS ciphersuites 247 are discussed in the security analysis of [RFC5246]. It should be 248 noted that only the ephemeral Diffie-Hellman based ciphersuites are 249 capable of providing perfect forward secrecy. 251 8.2. Counter Reuse 253 AES-CCM security requires that the counter is never reused. The IV 254 construction in Section 3 is designed to prevent counter reuse. 256 9. Acknowledgements 258 This draft borrows heavily from [RFC5288]. Thanks are due to Stephen 259 Farrell and Robert Cragie for their input. 261 10. References 262 10.1. Normative References 264 [AES] National Institute of Standards and Technology, 265 "Specification for the Advanced Encryption Standard 266 (AES)", FIPS 197, November 2001. 268 [CCM] National Institute of Standards and Technology, 269 "Recommendation for Block Cipher Modes of Operation: The 270 CCM Mode for Authentication and Confidentiality", SP 800- 271 38C, May 2004. 273 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 274 Requirement Levels", BCP 14, RFC 2119, March 1997. 276 [RFC4279] Eronen, P. and H. Tschofenig, "Pre-Shared Key Ciphersuites 277 for Transport Layer Security (TLS)", RFC 4279, 278 December 2005. 280 [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated 281 Encryption", RFC 5116, January 2008. 283 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 284 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 286 [RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois 287 Counter Mode (GCM) Cipher Suites for TLS", RFC 5288, 288 August 2008. 290 [RFC5487] Badra, M., "Pre-Shared Key Cipher Suites for TLS with SHA- 291 256/384 and AES Galois Counter Mode", RFC 5487, 292 March 2009. 294 [RFC6066] Eastlake, D., "Transport Layer Security (TLS) Extensions: 295 Extension Definitions", RFC 6066, January 2011. 297 [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 298 Security Version 1.2", RFC 6347, January 2012. 300 10.2. Informative References 302 [IEEE802154] 303 Institute of Electrical and Electronics Engineers, 304 "Wireless Personal Area Networks", IEEE Standard 802.15.4- 305 2006, 2006. 307 [RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM 308 Mode with IPsec Encapsulating Security Payload (ESP)", 309 RFC 4309, December 2005. 311 Authors' Addresses 313 David McGrew 314 Cisco Systems 315 13600 Dulles Technology Drive 316 Herndon, VA 20171 317 USA 319 Email: mcgrew@cisco.com 321 Daniel V. Bailey 322 RSA, the Security Division of EMC 323 174 Middlesex Tpke. 324 Bedford, MA 01463 325 USA 327 Email: dbailey@rsa.com