Addition of the Camellia Cipher Suites to Transport Layer Security (TLS)

The Camellia cipher suites are already specified in RFC5932 with SHA-256 based HMAC using asymmetric key encryption. This document proposes the addition of new cipher suites to the Transport Layer Security (TLS) protocol to support the Camellia cipher algorithm as a block cipher algorithm. The proposed cipher suites include variants using SHA-2 family of cryptographic hash functions and Galois Counter Mode (GCM) . Elliptic curve cipher suites and Pre-Shared Key (PSK) cipher suites are also included.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC2119 .

The eight cipher suites use Camellia in Cipher Block Chaining (CBC) mode with a SHA-2 family HMAC using elliptic curves cryptosystem:

The twenty cipher suites use the same asymmetric key algorithms as those in the previous section but use the authenticated encryption modes defined in TLS 1.2 with the Camellia in GCM .

The fourteen cipher suites describe PSK cipher suites. The first six cipher suites use Camellia with GCM and the next eight cipher suites use the Camellia with SHA-2 family HMAC using asymmetric key encryption or elliptic curves cryptosystem.

The RSA, DHE_RSA, DH_RSA, DHE_DSS, DH_DSS, ECDH, DH_anon, and ECDHE key exchanges are performed as defined in RFC5246 .

This document describes cipher suites based on Camellia cipher using CBC mode and GCM. The details are follows; The CAMELLIA_128_CBC cipher suites use Camellia in CBC mode with a 128-bit key and 128-bit Initialization Vector (IV); the CAMELLIA_256_CBC cipher suites use a 256-bit key and 128-bit IV. Advanced Encryption Standard (AES) authenticated encryption with additional data algorithms, AEAD_AES_128_GCM and AEAD_AES_256_GCM are described in RFC5116 . And AES GCM cipher suites for TLS are described in RFC5288 . AES and Camellia share common characteristics including key sizes and block length. CAMELLIA_128_GCM and CAMELLIA_256_GCM are defined according as those of AES.

The hash algorithms and PseudoRandom Function (PRF) algorithms for TLS 1.2 SHALL be as follows: a) The cipher suites ending with _SHA256 use HMAC-SHA-256 as the MAC algorithm, The PRF is the TLS PRF with SHA-256 as the hash function, b) The cipher suites ending with _SHA384 use HMAC-SHA-384 as the MAC algorithm, The PRF is the TLS PRF with SHA-384 as the hash function. When used with TLS versions prior to 1.2 (TLS 1.0 and TLS 1.1 ), the PRF is calculated as specified in the appropriate version of the TLS specification.

PSK cipher suites for TLS are described in RFC5487 as to SHA-256/384 and RFC5489 as to ECDHE_PSK.

At the time of writing this document there are no known weak keys for Camellia. And no security problem has been found on Camellia (see NESSIE , CRYPTREC , and LNCS 5867). The security considerations in previous RFCs (RFC5116 , RFC5289 , and RFC5487 ) apply to this document as well.

IANA is requested to allocate the following numbers in the TLS Cipher Suite Registry: