| < draft-ietf-curdle-cms-chacha20-poly1305-00.txt | draft-ietf-curdle-cms-chacha20-poly1305-01.txt > | |||
|---|---|---|---|---|
| Internet-Draft R. Housley | Internet-Draft R. Housley | |||
| Intended status: Standards Track Vigil Security | Intended status: Standards Track Vigil Security | |||
| Expires: 4 November 2016 4 May 2016 | Expires: 7 March 2017 7 September 2016 | |||
| Using ChaCha20-Poly1305 Authenticated Encryption | Using ChaCha20-Poly1305 Authenticated Encryption | |||
| in the Cryptographic Message Syntax (CMS) | in the Cryptographic Message Syntax (CMS) | |||
| <draft-ietf-curdle-cms-chacha20-poly1305-00.txt> | <draft-ietf-curdle-cms-chacha20-poly1305-01.txt> | |||
| Abstract | Abstract | |||
| This document describes the conventions for using ChaCha20-Poly1305 | This document describes the conventions for using ChaCha20-Poly1305 | |||
| Authenticated Encryption in the Cryptographic Message Syntax (CMS). | Authenticated Encryption in the Cryptographic Message Syntax (CMS). | |||
| ChaCha20-Poly1305 is a construction of the ChaCha stream cipher and | ChaCha20-Poly1305 is a construction of the ChaCha stream cipher and | |||
| Poly1305 authenticator. | Poly1305 authenticator. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 2, line 22 ¶ | skipping to change at page 2, line 22 ¶ | |||
| ChaCha [CHACHA] is a stream cipher developed by D. J. Bernstein in | ChaCha [CHACHA] is a stream cipher developed by D. J. Bernstein in | |||
| 2008. It is a refinement of Salsa20, which is one of the ciphers in | 2008. It is a refinement of Salsa20, which is one of the ciphers in | |||
| the eSTREAM portfolio [ESTREAM]. | the eSTREAM portfolio [ESTREAM]. | |||
| ChaCha20 is the 20-round variant of ChaCha; it requires a 256-bit key | ChaCha20 is the 20-round variant of ChaCha; it requires a 256-bit key | |||
| and a 96-bit nonce. ChaCha20 is described in [FORIETF]. | and a 96-bit nonce. ChaCha20 is described in [FORIETF]. | |||
| Poly1305 [POLY1305] is a Wegman-Carter, one-time authenticator | Poly1305 [POLY1305] is a Wegman-Carter, one-time authenticator | |||
| designed by D. J. Bernstein. Poly1305 produces a 16-byte | designed by D. J. Bernstein. Poly1305 produces a 16-byte | |||
| authentication tag; it requires a a 256-bit, single-use key. | authentication tag; it requires a 256-bit, single-use key. Poly1305 | |||
| Poly1305 is also described in [FORIETF]. | is also described in [FORIETF]. | |||
| ChaCha20 and Poly1305 have been designed for high performance in | ChaCha20 and Poly1305 have been designed for high performance | |||
| software implementations. They can typically be implemented with few | software implementations. They can typically be implemented with few | |||
| resources and inexpensive operations, making them suitable on a wide | resources and inexpensive operations, making them suitable on a wide | |||
| range of systems. They have also been designed to minimize leakage | range of systems. They have also been designed to minimize leakage | |||
| of information through side channels. | of information through side channels. | |||
| 1.1. The ChaCha20 and Poly1305 AEAD Construction | 1.1. The ChaCha20 and Poly1305 AEAD Construction | |||
| ChaCha20 and Poly1305 have been combined to create an Authenticated | ChaCha20 and Poly1305 have been combined to create an Authenticated | |||
| Encryption with Associated Data (AEAD) algorithm [AEAD]. This AEAD | Encryption with Associated Data (AEAD) algorithm [AEAD]. This AEAD | |||
| algorithm is often referred to as AEAD_CHACHA20_POLY1305, and it is | algorithm is often referred to as AEAD_CHACHA20_POLY1305, and it is | |||
| described in [FORIETF]. | described in [FORIETF]. | |||
| AEAD_CHACHA20_POLY1305 accepts four inputs: a 256-bit key, a 96-bit | AEAD_CHACHA20_POLY1305 accepts four inputs: a 256-bit key, a 96-bit | |||
| nonce, an arbitrary length plaintext, and an arbitrary length | nonce, an arbitrary length plaintext, and an arbitrary length | |||
| additional authenticated data (AAD). A nonce value cannot be used | additional authenticated data (AAD). As the name implies, a nonce | |||
| securely more than once with the same key. | value cannot be used securely more than once with the same key. | |||
| A high-level summary of AEAD_CHACHA20_POLY1305 authenticated | A high-level summary of AEAD_CHACHA20_POLY1305 authenticated | |||
| encryption processing is: | encryption processing is: | |||
| 1) A Poly1305 one-time key is generated from the 256-bit key and | 1) A Poly1305 one-time key is generated from the 256-bit key and | |||
| and nonce using the procedure described in Section 2.6 of | and nonce using the procedure described in Section 2.6 of | |||
| [FORIETF]. | [FORIETF]. | |||
| 2) The ChaCha20 encryption function is used to encrypt the | 2) The ChaCha20 encryption function is used to encrypt the | |||
| plaintext, using the same key and nonce, and with the initial | plaintext, using the same key and nonce, and with the initial | |||
| skipping to change at page 3, line 42 ¶ | skipping to change at page 3, line 42 ¶ | |||
| document are to be interpreted as described in RFC 2119 [STDWORDS]. | document are to be interpreted as described in RFC 2119 [STDWORDS]. | |||
| 1.3. ASN.1 | 1.3. ASN.1 | |||
| CMS values are generated using ASN.1 [X680], which uses the Basic | CMS values are generated using ASN.1 [X680], which uses the Basic | |||
| Encoding Rules (BER) and the Distinguished Encoding Rules (DER) | Encoding Rules (BER) and the Distinguished Encoding Rules (DER) | |||
| [X690]. | [X690]. | |||
| 2. Automated Key Management | 2. Automated Key Management | |||
| The reuse of an ChaCha20 and Poly1305 AEAD nonce/key combination | The reuse of an AEAD_CHACHA20_POLY1305 nonce value with the same key | |||
| destroys the security guarantees. As a result, it can be extremely | destroys the security guarantees. As a result, it can be extremely | |||
| difficult to use the ChaCha20 and Poly1305 AEAD securely when using | difficult to use AEAD_CHACHA20_POLY1305 securely when using | |||
| statically configured keys. For safety's sake, implementations MUST | statically configured keys. For safety's sake, implementations MUST | |||
| use an automated key management system [KEYMGMT]. | use an automated key management system [KEYMGMT]. | |||
| The CMS authenticated-enveloped-data content type supports four | The CMS authenticated-enveloped-data content type supports four | |||
| general key management techniques: | general key management techniques: | |||
| Key Transport: the content-authenticated-encryption key is | Key Transport: the content-authenticated-encryption key is | |||
| encrypted in the recipient's public key; | encrypted in the recipient's public key; | |||
| Key Agreement: the recipient's public key and the sender's | Key Agreement: the recipient's public key and the sender's | |||
| skipping to change at page 7, line 10 ¶ | skipping to change at page 7, line 10 ¶ | |||
| 5652, September 2009. | 5652, September 2009. | |||
| [FORIETF] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF | [FORIETF] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF | |||
| Protocols", RFC 7539, May 2015. | Protocols", RFC 7539, May 2015. | |||
| [STDWORDS] Bradner, S., "Key words for use in RFCs to Indicate | [STDWORDS] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [X680] ITU-T, "Information technology -- Abstract Syntax Notation | [X680] ITU-T, "Information technology -- Abstract Syntax Notation | |||
| One (ASN.1): Specification of basic notation", ITU-T | One (ASN.1): Specification of basic notation", ITU-T | |||
| Recommendation X.680, 2002. | Recommendation X.680, 2015. | |||
| [X690] ITU-T, "Information technology -- ASN.1 encoding rules: | [X690] ITU-T, "Information technology -- ASN.1 encoding rules: | |||
| Specification of Basic Encoding Rules (BER), Canonical | Specification of Basic Encoding Rules (BER), Canonical | |||
| Encoding Rules (CER) and Distinguished Encoding Rules | Encoding Rules (CER) and Distinguished Encoding Rules | |||
| (DER)", ITU-T Recommendation X.690, 2002. | (DER)", ITU-T Recommendation X.690, 2015. | |||
| 8. Informative References | 8. Informative References | |||
| [AEAD] McGrew, D., "An Interface and Algorithms for Authenticated | [AEAD] McGrew, D., "An Interface and Algorithms for Authenticated | |||
| Encryption", RFC 5116, January 2008. | Encryption", RFC 5116, January 2008. | |||
| [CHACHA] Bernstein, D., "ChaCha, a variant of Salsa20", January | [CHACHA] Bernstein, D., "ChaCha, a variant of Salsa20", January | |||
| 2008, | 2008, | |||
| <http://cr.yp.to/chacha/chacha-20080128.pdf>. | <http://cr.yp.to/chacha/chacha-20080128.pdf>. | |||
| End of changes. 9 change blocks. | ||||
| 11 lines changed or deleted | 11 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||