Transport Layer Security Working Group                        John Banes
INTERNET-DRAFT                                     Microsoft Corporation
Expires January, 2002                                 Richard Harrington
                                                      Qpass Incorporated
                                                           July 19, 2001

                   56-bit Export Cipher Suites For TLS
                draft-ietf-tls-56-bit-ciphersuites-01.txt

1.  Status of this Memo

   This document is an Internet-Draft and is subject to all provisions 
   of Section 10 of RFC2026. Internet-Drafts are working documents of 
   the Internet Engineering Task Force (IETF), its areas, and its 
   working groups.  Note that other groups may also distribute
   working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or made obsolete by other documents at
   any time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/1id-abstracts.html

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html


2.  Introduction

   This document describes several cipher suites to be used with the 
   Transport Layer Security (TLS) protocol.  Changes in US export
   regulations in 1999 permitted the export of software programs 
   using 56-bit data encryption and 1024-bit key exchange.  
   The cipher suites described in this document were designed to take
   advantage of this change in the regulations.

3. The CipherSuites

   The following values define the CipherSuite codes used in the client
   hello and server hello messages.

   The following CipherSuite definitions require that the server
   provide an RSA certificate that can be used for key exchange. The
   server may request either an RSA or a DSS signature-capable
   certificate in the certificate request message.

   CipherSuite TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA     = { 0x00,0x62 };
   CipherSuite TLS_RSA_EXPORT1024_WITH_RC4_56_SHA      = { 0x00,0x64 };


Banes                      Expires January, 2002              [Page 1]
INTERNET-DRAFT             56-bit Export TLS          January 15, 1999


   The following CipherSuite definitions are used for
   server-authenticated (and optionally client-authenticated)
   Diffie-Hellman.  DHE denotes ephemeral Diffie-Hellman, where the
   Diffie-Hellman parameters are signed by a DSS certificate, which
   has been signed by the CA. 

   CipherSuite TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = { 0x00,0x63 };
   CipherSuite TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA  = { 0x00,0x65 };
   CipherSuite TLS_DHE_DSS_WITH_RC4_128_SHA            = { 0x00,0x66 };


4. CipherSuite definitions

CipherSuite                        Is         Key            Cipher  Hash
                               Exportable   Exchange

TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA     * RSA_EXPORT1024     DES_CBC  SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA      * RSA_EXPORT1024     RC4_56   SHA
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA * RSA_EXPORT1024     DES_CBC  SHA
TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA  * DHE_DSS_EXPORT1024 RC4_56   SHA
TLS_DHE_DSS_WITH_RC4_128_SHA              DHE_DSS            RC4_128  SHA

* Indicates IsExportable is True

      Key
      Exchange
      Algorithm           Description                        Key size limit
      
      RSA_EXPORT1024      RSA key exchange                   RSA = 1024 bits
      DHE_DSS_EXPORT1024  Ephemeral DH with DSS signatures   DH = 1024 bits

   Key size limit
       The key size limit gives the size of the largest public key that
       can be legally used for encryption in cipher suites that are
       exportable.

                         Key      Expanded   Effective   IV    Block
    Cipher       Type  Material Key Material  Key Bits  Size   Size
    
    RC4_56       Stream   7         16          56        0     N/A
    DES_CBC      Block    8          8          56        8      8


5. Implementation Notes

   When an RSA_EXPORT1024 cipher suite is used, and the server's RSA
   Key is larger than 1024 bits in length, then the server must send
   a server key exchange message to the client. This message is to
   contain a temporary RSA key, signed by the server. This temporary
   RSA key should be the maximum allowable length (i.e., 1024 bits).


Banes                      Expires January, 2002              [Page 2]
INTERNET-DRAFT             56-bit Export TLS          January 15, 1999


   Servers with a large RSA key will often maintain two temporary RSA
   keys: a 512-bit key used to support the RSA_EXPORT cipher suites,
   and a 1024-bit key used to support the RSA_EXPORT1024 cipher suites.

   When 56-bit DES keys are derived for an export cipher suite, the
   additional export key derivation step must be performed. That is,
   the final read and write DES keys (and the IV) are not taken 
   directly from the key_block.

6. References

   [TLS] T. Dierks, C. Allen, The TLS Protocol, 
   <draft-ietf-tls-protocol-06.txt>, November 1998.

7. Authors

   John Banes                         Richard Harrington
   Microsoft Corp.                    Qpass Inc.
   jbanes@microsoft.com               rharrington@qpass.com

































Banes                      Expires January, 2002              [Page 3]