Network Working Group A. Langley Internet-Draft W. Chang Updates: 5246, 6347 Google Inc (if approved) N. Mavrogiannopoulos Intended status: Standards Track Red Hat Expires: September 4, 2014 J. Strombergson Secworks Sweden AB S. Josefsson SJD AB March 3, 2014 The ChaCha Stream Cipher for Transport Layer Security draft-mavrogiannopoulos-chacha-tls-02 Abstract This document describes the use of the ChaCha stream cipher with HMAC-SHA1 and Poly1305 in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) protocols. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on September 4, 2014. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect Langley, et al. Expires September 4, 2014 [Page 1] Internet-Draft chacha-tls March 2014 to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. The ChaCha Cipher . . . . . . . . . . . . . . . . . . . . . . 4 3. The Poly1305 Authenticator . . . . . . . . . . . . . . . . . . 5 4. ChaCha20 Cipher Suites . . . . . . . . . . . . . . . . . . . . 6 4.1. ChaCha20 Cipher Suites with HMAC-SHA1 . . . . . . . . . . 6 4.2. ChaCha20 Cipher Suites with Poly1305 . . . . . . . . . . . 7 5. Updates to the TLS Standard Stream Cipher . . . . . . . . . . 8 6. Updates to DTLS . . . . . . . . . . . . . . . . . . . . . . . 9 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 9. Security Considerations . . . . . . . . . . . . . . . . . . . 12 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 10.1. Normative References . . . . . . . . . . . . . . . . . . . 13 10.2. Informative References . . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15 Langley, et al. Expires September 4, 2014 [Page 2] Internet-Draft chacha-tls March 2014 1. Introduction This document describes the use of the ChaCha stream cipher in the Transport Layer Security (TLS) version 1.0 [RFC2246], TLS version 1.1 [RFC4346], and TLS version 1.2 [RFC5246] protocols, as well as in the Datagram Transport Layer Security (DTLS) versions 1.0 [RFC4347] and 1.2 [RFC6347]. It can also be used with Secure Sockets Layer (SSL) version 3.0 [RFC6101]. ChaCha [CHACHA] is a stream cipher that has been designed for high performance in software implementations. The cipher has compact implementation and uses few resources and inexpensive operations that makes it suitable for implementation on a wide range of architectures. It has been designed to prevent leakage of information through side channel analysis, has a simple and fast key setup and provides good overall performance. It is a variant of Salsa20 [SALSA20SPEC] which is one of the selected ciphers in the eSTREAM portfolio [ESTREAM]. Recent attacks [CBC-ATTACK] have indicated problems with CBC-mode cipher suites in TLS and DTLS as well as issues with the only supported stream cipher (RC4) [RC4-ATTACK]. While the existing AEAD (AES-GCM) ciphersuites address some of these issues, concerns about the performance and ease of software implementation are sometimes raised. Therefore, a new stream cipher to replace RC4 and address all the previous issues is needed. It is the purpose of this document to describe a secure stream cipher for both TLS and DTLS that is comparable to RC4 in speed on a wide range of platforms and can be implemented easily without being vulnerable to software side-channel attacks. Langley, et al. Expires September 4, 2014 [Page 3] Internet-Draft chacha-tls March 2014 2. The ChaCha Cipher ChaCha [CHACHA] is a stream cipher developed by D. J. Bernstein in 2008. It is a refinement of Salsa20 and was used as the core of the SHA-3 finalist, BLAKE. The variant of ChaCha used in this document is ChaCha with 20 rounds, a 96-bit nonce and a 256 bit key, which will be referred to as ChaCha20 in the rest of this document. This is the conservative variant (with respect to security) of the ChaCha family and is described in [I-D.nir-cfrg-chacha20-poly1305]. Langley, et al. Expires September 4, 2014 [Page 4] Internet-Draft chacha-tls March 2014 3. The Poly1305 Authenticator Poly1305 [POLY1305] is a Wegman-Carter, one-time authenticator designed by D. J. Bernstein. Poly1305 takes a 32-byte, one-time key and a message and produces a 16-byte tag that authenticates the message such that an attacker has a negligible chance of producing a valid tag for an inauthentic message. It is described in [I-D.nir-cfrg-chacha20-poly1305]. Langley, et al. Expires September 4, 2014 [Page 5] Internet-Draft chacha-tls March 2014 4. ChaCha20 Cipher Suites In the next sections different ciphersuites are defined that utilize the ChaCha20 cipher combined with various message authentication methods. In all cases, the ChaCha20 cipher, as in [I-D.nir-cfrg-chacha20-poly1305], uses a 96-bit nonce. That nonce is updated on the encryption of every TLS record, and is formed as follows. struct { opaque salt[4]; opaque record_counter[8]; } ChaChaNonce; The salt is generated as part of the handshake process. It is either the client_write_IV (when the client is sending) or the server_write_IV (when the server is sending). The salt length (SecurityParameters.fixed_iv_length) is 4 bytes. The record_counter is the 64-bit TLS record sequence number. In case of DTLS the record_counter is formed as the concatenation of the 16-bit epoch with the 48-bit sequence number. In both TLS and DTLS the ChaChaNonce is implicit and not sent as part of the packet. The pseudorandom function (PRF) for TLS 1.2 is the TLS PRF with SHA- 256 as the hash function. When used with TLS versions prior to 1.2, the PRF is calculated as specified in the appropriate version of the TLS specification. The RSA, DHE_RSA, ECDHE_RSA, ECDHE_ECDSA, PSK, DHE_PSK, RSA_PSK, ECDHE_PSK key exchanges are performed as defined in [RFC5246], [RFC4492], and [RFC5489]. 4.1. ChaCha20 Cipher Suites with HMAC-SHA1 The following CipherSuites are defined. Langley, et al. Expires September 4, 2014 [Page 6] Internet-Draft chacha-tls March 2014 TLS_RSA_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} TLS_ECDHE_RSA_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} TLS_ECDHE_ECDSA_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} TLS_DHE_RSA_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} TLS_DHE_PSK_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} TLS_PSK_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} TLS_ECDHE_PSK_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} TLS_RSA_PSK_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} The MAC algorithm used in the ciphersuites above is HMAC-SHA1 [RFC6234]. 4.2. ChaCha20 Cipher Suites with Poly1305 The ChaCha20 and Poly1305 primitives are built into an AEAD algorithm [RFC5116], AEAD_CHACHA20_POLY1305, described in [I-D.nir-cfrg-chacha20-poly1305]. It takes as input a 256-bit key and a 96-bit nonce. When used in TLS, the "record_iv_length" is zero and the nonce is set to be the ChaChaNonce. The additional data is seq_num + TLSCompressed.type + TLSCompressed.version + TLSCompressed.length, where "+" denotes concatenation. The following CipherSuites are defined. TLS_RSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} TLS_DHE_RSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} TLS_DHE_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} TLS_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} TLS_RSA_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} Langley, et al. Expires September 4, 2014 [Page 7] Internet-Draft chacha-tls March 2014 5. Updates to the TLS Standard Stream Cipher The ChaCha20 ciphersuites with HMAC-SHA1 defined in this document differ from the TLS RC4 ciphersuites that have been the basis for the definition of Standard Stream Cipher. Unlike RC4, ChaCha20 requires a nonce per record. This however, does not affect the description of the Standard Stream Cipher if one assumes that a nonce is optional and depends on the cipher's characteristics. Hence, this document modifies the Standard Stream Cipher by adding an implicit nonce. The implicit nonce may consist of o an optional fixed component ("salt"), generated from the key_block; o a variable component, based on the 64-bit TLS record sequence number or the concatenation of the 16-bit epoch with the 48-bit sequence number in case of DTLS. Stream ciphers that don't require a nonce such as RC4 shall ignore it. Other stream ciphers that require a nonce, such as ChaCha20 with HMAC-SHA1, will use the nonce and reset their state on each record. Langley, et al. Expires September 4, 2014 [Page 8] Internet-Draft chacha-tls March 2014 6. Updates to DTLS The DTLS protocol requires the cipher in use to introduce no dependencies between TLS Records to allow lost or rearranged records. For that it explicitly bans stream ciphers (see Section 3.1 of [RFC6347]). As the stream cipher described in this document, unlike RC4, does not require dependencies between records, this ban of stream ciphers is lifted with this document. Stream ciphers can be used with DTLS if they introduce no dependencies between records. Langley, et al. Expires September 4, 2014 [Page 9] Internet-Draft chacha-tls March 2014 7. Acknowledgements The authors would like to thank Zooko Wilcox-OHearn and Samuel Neves. Langley, et al. Expires September 4, 2014 [Page 10] Internet-Draft chacha-tls March 2014 8. IANA Considerations IANA is requested to assign the following Cipher Suites in the TLS Cipher Suite Registry: TLS_RSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} TLS_DHE_RSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} TLS_DHE_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} TLS_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} TLS_RSA_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} TLS_RSA_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} TLS_ECDHE_RSA_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} TLS_ECDHE_ECDSA_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} TLS_DHE_RSA_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} TLS_DHE_PSK_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} TLS_PSK_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} TLS_ECDHE_PSK_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} TLS_RSA_PSK_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} Langley, et al. Expires September 4, 2014 [Page 11] Internet-Draft chacha-tls March 2014 9. Security Considerations ChaCha20 follows the same basic principle as Salsa20, a cipher with significant security review [SALSA20-SECURITY][ESTREAM]. At the time of writing this document, there are no known significant security problems with either cipher, and ChaCha20 is shown to be more resistant in certain attacks than Salsa20 [SALSA20-ATTACK]. Furthermore ChaCha20 was used as the core of the BLAKE hash function, a SHA3 finalist, that had received considerable cryptanalytic attention [NIST-SHA3]. Poly1305 is designed to ensure that forged messages are rejected with a probability of 1-(n/2^102) for a 16*n byte message, even after sending 2^64 legitimate messages. The cipher suites described in this document require that an nonce is never repeated under the same key. The design presented ensures that by using the TLS sequence number which is unique and does not wrap [RFC5246]. This document should not introduce any other security considerations than those that directly follow from the use of the stream cipher ChaCha20, the AEAD_CHACHA20_POLY1305 construction, and those that directly follow from introducing any set of stream cipher suites into TLS and DTLS (see also the Security Considerations section of [I-D.nir-cfrg-chacha20-poly1305]). Langley, et al. Expires September 4, 2014 [Page 12] Internet-Draft chacha-tls March 2014 10. References 10.1. Normative References [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC 2246, January 1999. [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.1", RFC 4346, April 2006. [RFC4347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer Security", RFC 4347, April 2006. [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)", RFC 4492, May 2006. [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, August 2008. [RFC5489] Badra, M. and I. Hajjeh, "ECDHE_PSK Cipher Suites for Transport Layer Security (TLS)", RFC 5489, March 2009. [RFC6234] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)", RFC 6234, May 2011. [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer Security Version 1.2", RFC 6347, January 2012. [I-D.nir-cfrg-chacha20-poly1305] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF protocols", draft-nir-cfrg-chacha20-poly1305-01 (work in progress), January 2014. 10.2. Informative References [CHACHA] Bernstein, D., "ChaCha, a variant of Salsa20", January 2008, . [POLY1305] Bernstein, D., "The Poly1305-AES message-authentication code.", March 2005, . [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated Encryption", RFC 5116, January 2008. Langley, et al. Expires September 4, 2014 [Page 13] Internet-Draft chacha-tls March 2014 [SALSA20SPEC] Bernstein, D., "Salsa20 specification", April 2005, . [RFC6101] Freier, A., Karlton, P., and P. Kocher, "The Secure Sockets Layer (SSL) Protocol Version 3.0", RFC 6101, August 2011. [SALSA20-SECURITY] Bernstein, D., "Salsa20 security", April 2005, . [ESTREAM] Babbage, S., DeCanniere, C., Cantenaut, A., Cid, C., Gilbert, H., Johansson, T., Parker, M., Preneel, B., Rijmen, V., and M. Robshaw, "The eSTREAM Portfolio (rev. 1)", September 2008, . [CBC-ATTACK] AlFardan, N. and K. Paterson, "Lucky Thirteen: Breaking the TLS and DTLS Record Protocols", IEEE Symposium on Security and Privacy , 2013. [RC4-ATTACK] Isobe, T., Ohigashi, T., Watanabe, Y., and M. Morii, "Full Plaintext Recovery Attack on Broadcast RC4", International Workshop on Fast Software Encryption , 2013. [SALSA20-ATTACK] Aumasson, J-P., Fischer, S., Khazaei, S., Meier, W., and C. Rechberger, "New Features of Latin Dances: Analysis of Salsa, ChaCha, and Rumba", 2007, . [NIST-SHA3] Chang, S., Burr, W., Kelsey, J., Paul, S., and L. Bassham, "Third-Round Report of the SHA-3 Cryptographic Hash Algorithm Competition", 2012, . Langley, et al. Expires September 4, 2014 [Page 14] Internet-Draft chacha-tls March 2014 Authors' Addresses Adam Langley Google Inc Email: agl@google.com Wan-Teh Chang Google Inc Email: wtc@google.com Nikos Mavrogiannopoulos Red Hat Email: nmav@redhat.com Joachim Strombergson Secworks Sweden AB Email: joachim@secworks.se URI: http://secworks.se/ Simon Josefsson SJD AB Email: simon@josefsson.org URI: http://josefsson.org/ Langley, et al. Expires September 4, 2014 [Page 15]