<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC5652 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5652.xml">
<!ENTITY RFC5759 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5759.xml">
<!ENTITY RFC6318 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6318.xml">
<!ENTITY RFC6257 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6257.xml">
<!ENTITY RFC5050 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5050.xml">
   
]>
<?rfc toc="yes"?>
<!-- generate a table of contents -->
<?rfc symrefs="yes"?>
<!-- use anchors instead of numbers for references -->
<?rfc sortrefs="yes" ?>
<!-- alphabetize the references -->
<?rfc compact="yes" ?>
<!-- conserve vertical whitespace -->
<?rfc subcompact="no" ?>
<!-- but keep a blank line between list items -->
<rfc category="exp" docName="draft-birrane-dtn-bpsec-suiteb-profile-00" ipr="trust200902"
     obsoletes="" submissionType="IETF" updates="" xml:lang="en">
  <front>
    <title>Suite B Profile for Bundle Protocol Security (BPSec)</title>

    <author fullname="Edward J. Birrane" initials="E.J."
            surname="Birrane">
      <organization abbrev="JHU/APL">The Johns Hopkins University Applied
      Physics Laboratory</organization>

      <address>
        <postal>
          <street>11100 Johns Hopkins Rd.</street>

          <city>Laurel</city>

          <region>MD</region>

          <code>20723</code>

          <country>US</country>
        </postal>

        <phone>+1 443 778 7423</phone>

        <email>Edward.Birrane@jhuapl.edu</email>
      </address>
    </author>

    <date month="December" year="2015"/>

    <!-- Meta-data -->

    <area>General</area>

    <workgroup>Delay-Tolerant Networking</workgroup>

    <keyword>security</keyword>

    <keyword>bundle</keyword>

    <keyword>integrity</keyword>

    <keyword>authentication</keyword>

    <keyword>confidentiality</keyword>

    <abstract>
      <t>
         The United States Government has published guidelines for "NSA Suite
         B Cryptography" dated July, 2005, which defines cryptographic
         algorithm policy for national security applications.  This document
         specifies the conventions for using Suite B cryptography with
         Bundle Protocol Security (BPSec).
      </t>
      <t>
         Since many of the Suite B algorithms enjoy uses in other environments
         as well, the majority of the conventions needed for the Suite B
         algorithms are already specified in other documents.  This document
         references the source of these conventions, with some relevant
         details repeated to aid developers that choose to support Suite B
         within BPSec.        
      </t>
    </abstract>
  </front>

  <middle>
    <section anchor="intro" title="Introduction" toc="default">
      <t>
         This document specifies the conventions for using NSA Suite B
         Cryptography <xref target="SuiteB"/> with Bundle Protocol Security (BPSec)
         <xref target="I-D.ietf-dtn-bpsec"/>. This document is an update to the Suite-B 
         profile created by Burgin and Hennessy <xref target="I-D.hennessy-bsp-suiteb-profile"/>. This
         update adapts the profile from BSP <xref target="RFC6257"/> to BPSec. 
      </t>
      <t>
         BPSec provides source authentication, data integrity, and data confidentiality
         services for the Bundle Protocol (BP) <xref target="RFC5050"/>.         
      </t>      
      <t>
         <xref target="I-D.birrane-dtn-bpsec-suiteb-ciphersuites"/> defines ciphersuites for BPSec that are
         comprised of Suite B algorithms for use with the security block types
         BAB, BIB, and BCB.  Suite B compliant implementations for BPSec MUST use
         one of these ciphersuites, depending upon the desired security level and
         security services.     
      </t>
   </section>      
   
   <section anchor="term" title="Requirements Language" toc="default">
      <t>
         The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
        "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
        "OPTIONAL" in this document are to be interpreted as described in
        <xref format="default" pageno="false" target="RFC2119"/>.
      </t>
   </section>
   
   <section title="Suite B Requirements">
      <t>
         Suite B requires that key establishment and signature algorithms be
         based upon Elliptic Curve Cryptography and that the encryption
         algorithm be AES <xref target="FIPS197"/>.  Suite B includes <xref target="SuiteB"/>:
      
         <list hangIndent="8" style="hanging">
            <t hangText="Encryption:"> <vspace blankLines="0" /> 
               Advanced Encryption Standard (AES) <xref target="FIPS197"/>
               (key sizes of 128 and 256 bits)
            </t>
            <t hangText="Digital Signature:"> <vspace blankLines="0" />
               Elliptic Curve Digital Signature Algorithm (ECDSA) <xref target="FIPS186-3"/> 
               (using the curves with 256- and 384-bit prime moduli).               
            </t>
            <t hangText="Key Exchange:"> <vspace blankLines="0" />
               Elliptic Curve Diffie-Hellman (ECDH) <xref target="SP800-56A"/> 
               (using the curves with 256- and 384-bit prime moduli).
            </t>            
            <t hangText="Hashes:"> <vspace blankLines="0" />
               SHA-256 and SHA-384 <xref target="FIPS180-3"/>.
            </t>                                    
         </list>  
         
         The two elliptic curves used in Suite B appear in the literature
         under two different names.  For sake of clarity, we list both names
         below.
         </t>
         
         <texttable>
            <ttcol align="center">Curve</ttcol>
            <ttcol align="center">NIST Name</ttcol>
            <ttcol align="center">SECG Name</ttcol>
            <ttcol align="center">OID [FIPS186-3]</ttcol>

            <c>P-256</c>
            <c>nistp256</c>
            <c>secp256r1</c>
            <c>1.2.840.10045.3.1.7</c>

            <c>P-384</c>
            <c>nistp384</c>
            <c>secp384r1</c>
            <c>1.3.132.0.34</c>                                                         
         </texttable>                  
     
   </section>
  
   <section title="Minimum Levels of Security (minLOS)">
      <t>
         Suite B provides for two levels of cryptographic security, namely a
         128-bit minimum level of security (minLOS_128) and a 192-bit minimum
         level of security (minLOS_192).  Each level defines a minimum
         strength that all cryptographic algorithms must provide.
      </t>
        
     
      <section title="Non-signature Primitives">
         <t>
            We divide the Suite B non-signature primitives into two columns as
            shown in <xref target="table1"/>.
         </t>            
         
         <texttable anchor="table1" title="Suite B Cryptographic Non-Signature Primitives">
            <ttcol></ttcol>
            <ttcol>Column 1</ttcol>
            <ttcol>Column 2</ttcol>
                                    
            <c>Encryption</c>
            <c> AES-128 </c>
            <c> AES-256 </c>        

            <c>Key Agreement</c>
            <c> ECDH on P-256 </c>
            <c> ECDH on P-384 </c>        

            <c>Key Wrap</c>
            <c> AES-128 Key Wrap </c>
            <c> AES-256 Key Wrap </c>        

            <c>Hash for PRF/MAC</c>
            <c> SHA-256 </c>
            <c> SHA-384 </c>        
                                                                          
         </texttable>

         <t>
            At the 128-bit minimum level of security:
          
            <list style="symbol">
               <t>
                  the non-signature primitives MUST either come exclusively from
                  Column 1 or exclusively from Column 2, with Column 1 being the
                  preferred suite.            
               </t>
          </list>
          
            At the 192-bit minimum level of security:
         
            <list style="symbol">
               <t>
                  the non-signature primitives MUST come exclusively from Column 2.           
               </t>
            </list>
                      
         </t>         
      </section>

      <section title="Suite B Authentication">
         <t>         
            Digital signatures using ECDSA MUST be used for authentication by
            Suite B compliant BPSec implementations.  To simplify notation, ECDSA-
            256 will be used to represent an instantiation of the ECDSA algorithm
            using the P-256 curve and the SHA-256 hash function, and ECDSA-384
            will be used to represent an instantiation of the ECDSA algorithm
            using the P-384 curve and the SHA-384 hash function.
         </t>
         <t>           
            If configured at a minimum level of security of 128 bits, a Suite B
            compliant BPSec implementation MUST use either ECDSA-256 or ECDSA-384
            for authentication.  It is allowable for one party to authenticate
            with ECDSA-256 and the other party to authenticate with ECDSA-384.
         </t>
         <t>         
            Security-aware nodes in a Suite B compliant BPSec implementation
            configured at a minimum level of security of 128 bits MUST be able to
            verify ECDSA-256 signatures and SHOULD be able to verify ECDSA-384
            signatures unless it is absolutely certain that the implementation
            will never need to verify certificates from an authority which uses
            an ECDSA-384 signing key.
         </t>
         <t>         
            Security-aware nodes in a Suite B compliant BPSec implementation
            configured at a minimum level of security of 192 bits MUST use ECDSA-
            384 for authentication and MUST be able to verify ECDSA-384
            signatures.
         </t>
      </section>

      <section title="Digital Signatures and Certificates">
         <t>
            Security-aware nodes in a Suite B compliant BPSec implementation, at
            both minimum levels of security, MUST each use an X.509 certificate
            that complies with the "Suite B Certificate and Certificate
            Revocation List (CRL) Profile" <xref target="RFC5759"/> and that contains an
            elliptic curve public key with the key usage field set for digital
            signature.  The endpoint IDs MUST be placed in the subjectAltName
            field of the X.509 certificate.            
         </t>
      </section>
   </section>
   
   <section title="Suite B Ciphersuites">
      <t>
         Each system MUST specify a security level of a minimum of 128 bits or
         192 bits.  The security level determines which suites from <xref target="I-D.birrane-dtn-bpsec-suiteb-ciphersuites"/> are allowed.
      </t>
      
      <t>         
         Each of the ciphersuites specified in <xref target="I-D.birrane-dtn-bpsec-suiteb-ciphersuites"/> 
         satisfy the Suite B requirements in Section 3 of this document.
      </t>

      <t>     
         At the 128-bit minimum level of security:

         <list style="symboles">
            <t>  
               If a Block Integrity Block (BIB) is included in the bundle, one
               of BIB-ECDSA-SHA256 or BIB-ECDSA-SHA384 MUST be used by Suite B
               compliant BPSec implementations.   
            </t>

            <t> 
               If a Block Confidentiality Block (BCB) is included in the
               bundle, one of BCB-ECDH-SHA256-AES128 or BCB-ECDH-SHA384-AES256
               MUST be used by Suite B compliant BPSec implementations.    
            </t>
         </list>

         At the 192-bit minimum level of security:
         
         <list style="symboles">
            <t> 
               If a Block Integrity Block (BIB) is included in the bundle, BIB-
               ECDSA-SHA384 MUST be used by Suite B compliant BPSec implementations.
            </t>            
            <t>
               If a Block Confidentiality Block (BCB) is included in the
               bundle, BCB-ECDH-SHA384-AES256 MUST be used by Suite B compliant
               BPSec implementations.
            </t>
         </list>
      </t>     
   </section>      

   <section title="Security Considerations">
      <t>
         Two levels of security may be achieved using this specification.
         Users must consider their risk environment to determine which level
         is appropriate for their own use.
      </t>

      <t>
         This specification does not consider the CMS Block of the BPSec
         specification. Details for using CMS in Suite B can be found in <xref target="RFC6318"/>.  The
         security considerations in <xref target="RFC5652"/> discuss the CMS as a method for         
         digitally signing data and encrypting data.                  
      </t>     
   </section> 

   <section title="IANA Considerations">
      <t>
         None.
      </t>
   </section>   
  </middle>

  <back>
    <references title="Normative References">
      
       <reference anchor="FIPS180-3">
          <front>
             <title>Secure Hash Standard</title>
             <author>
                <organization>
                   National Institute of Standards and Technology
                </organization>
             </author>
             <date month="October" year="2008"/>
          </front>
          <seriesInfo name="FIPS PUB" value="180-3"/>
       </reference>
       
       <reference anchor="FIPS186-3">
          <front>
             <title>Digital Signature Standard (DSS)</title>
             <author>
                <organization>
                   National Institute of Standards and Technology
                </organization>
             </author>
             <date month="June" year="2009"/>
          </front>
          <seriesInfo name="FIPS PUB" value="186-3"/>
       </reference>
              
       <reference anchor="FIPS197">
          <front>
             <title>Advanced Encryption Standard (AES)</title>
             <author>
                <organization>
                   National Institute of Standards and Technology
                </organization>
             </author>
             <date month="November" year="2001"/>
          </front>
          <seriesInfo name="FIPS PUB" value="197"/>
       </reference>
              
       &RFC2119;
       &RFC5652;
       &RFC5759;
       &RFC6318;       
        

       <?rfc include="reference.I-D.ietf-dtn-bpsec.xml"?>
	       	
       <reference anchor="I-D.birrane-dtn-bpsec-suiteb-ciphersuites">
          <front>
             <title>Suite B Ciphersuites for Bundle Protocol Security (BPSec)</title>
             <author initials="E." surname="Birrane" fullname="E. Birrane">
                  <organization />
               </author>
             <date month="December" year="2015"/>
          </front>
		  <seriesInfo name="  draft-birrane-dtn-bpsec-suiteb-ciphersuites-00" value="(work in progress)"/>    
       </reference>
       	       	

       	
       	    </references>

    <references title="Informative References">

      &RFC6257;
      &RFC5050;
       
      <?rfc include="reference.I-D.hennessy-bsp-suiteb-profile.xml"?>  
      <?rfc include="reference.I-D.hennessy-bsp-suiteb-ciphersuites.xml"?>
      
      <reference anchor="SP800-56A">
         <front>
            <title>Recommendation for Pair-wise Key Establishment Schemes Using Discrete Logarithm Cryptography</title>
             <author>
                <organization> 
                   National Institute of Standards and Technology                   
                </organization>
             </author>
             
             <date month="March" year="2007"/>
          </front>
          <seriesInfo name="NIST Special Publication" value="800-56A"/>                    
       </reference>
               
      <reference anchor="SuiteB" target="http://www.nsa.gov/ia/programs/suiteb_cryptography/">
         <front>
            <title>Fact Sheet NSA Suite B Cryptography</title>
             <author>
                <organization> 
                   U.S. National Security Agency                   
                </organization>
             </author>
             
             <date month="January" year="2009"/>
          </front>
          <seriesInfo name="NIST Special Publication" value="800-56A"/>                    
       </reference>
                                                      
    </references>

  </back>
</rfc>
