| < draft-ietf-curdle-cms-chacha20-poly1305-01.txt | draft-ietf-curdle-cms-chacha20-poly1305-02.txt > | |||
|---|---|---|---|---|
| Internet-Draft R. Housley | Internet-Draft R. Housley | |||
| Intended status: Standards Track Vigil Security | Intended status: Standards Track Vigil Security | |||
| Expires: 7 March 2017 7 September 2016 | Expires: 22 March 2017 22 September 2016 | |||
| Using ChaCha20-Poly1305 Authenticated Encryption | Using ChaCha20-Poly1305 Authenticated Encryption | |||
| in the Cryptographic Message Syntax (CMS) | in the Cryptographic Message Syntax (CMS) | |||
| <draft-ietf-curdle-cms-chacha20-poly1305-01.txt> | <draft-ietf-curdle-cms-chacha20-poly1305-02.txt> | |||
| Abstract | Abstract | |||
| This document describes the conventions for using ChaCha20-Poly1305 | This document describes the conventions for using ChaCha20-Poly1305 | |||
| Authenticated Encryption in the Cryptographic Message Syntax (CMS). | Authenticated Encryption in the Cryptographic Message Syntax (CMS). | |||
| ChaCha20-Poly1305 is a construction of the ChaCha stream cipher and | ChaCha20-Poly1305 is an authenticated encryption algorithm | |||
| Poly1305 authenticator. | constructed of the ChaCha stream cipher and Poly1305 authenticator. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 4 November 2016. | This Internet-Draft will expire on 22 March 2017. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2016 IETF Trust and the persons identified as the | Copyright (c) 2016 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 5, line 35 ¶ | skipping to change at page 5, line 35 ¶ | |||
| AEADChaCha20Poly1305Nonce ::= OCTET STRING (SIZE(12)) | AEADChaCha20Poly1305Nonce ::= OCTET STRING (SIZE(12)) | |||
| The AEADChaCha20Poly1305Nonce contains a 12-octet nonce. With the | The AEADChaCha20Poly1305Nonce contains a 12-octet nonce. With the | |||
| CMS, the content-authenticated-encryption key is normally used for a | CMS, the content-authenticated-encryption key is normally used for a | |||
| single content. Within the scope of any content-authenticated- | single content. Within the scope of any content-authenticated- | |||
| encryption key, the nonce value MUST be unique. That is, the set of | encryption key, the nonce value MUST be unique. That is, the set of | |||
| nonce values used with any given key MUST NOT contain any duplicate | nonce values used with any given key MUST NOT contain any duplicate | |||
| values. | values. | |||
| 4. IANA Considerations | 4. S/MIME Capabilities | |||
| {{{ This can be written once the Object Identifier is assigned. }}} | ||||
| 5. IANA Considerations | ||||
| IANA is requested to add the following entry in the SMI Security for | IANA is requested to add the following entry in the SMI Security for | |||
| S/MIME Algorithms (1.2.840.113549.1.9.16.3) registry: | S/MIME Algorithms (1.2.840.113549.1.9.16.3) registry: | |||
| TBD1 id-alg-AEADChaCha20Poly1305 [This Document] | TBD1 id-alg-AEADChaCha20Poly1305 [This Document] | |||
| IANA is requested to add the following entry in the SMI Security for | IANA is requested to add the following entry in the SMI Security for | |||
| S/MIME Module Identifier (1.2.840.113549.1.9.16.0) registry: | S/MIME Module Identifier (1.2.840.113549.1.9.16.0) registry: | |||
| TBD2 id-mod-CMS-AEADChaCha20Poly1305 [This Document] | TBD2 id-mod-CMS-AEADChaCha20Poly1305 [This Document] | |||
| 5. Security Considerations | 6. Security Considerations | |||
| The CMS AuthEnvelopedData provides all of the tools needed to avoid | The CMS AuthEnvelopedData provides all of the tools needed to avoid | |||
| reuse of the same nonce value under the same key. Automated key | reuse of the same nonce value under the same key. Automated key | |||
| management is discussed in Section 2. | management is discussed in Section 2. | |||
| When using AEAD_CHACHA20_POLY1305, the resulting ciphertext is always | When using AEAD_CHACHA20_POLY1305, the resulting ciphertext is always | |||
| the same size as the original plaintext. Some other mechanism needs | the same size as the original plaintext. Some other mechanism needs | |||
| to be used in conjunction with AEAD_CHACHA20_POLY1305 if disclosure | to be used in conjunction with AEAD_CHACHA20_POLY1305 if disclosure | |||
| of the size of the plaintext is a concern. | of the size of the plaintext is a concern. | |||
| The amount of encrypted data possible in a single invocation of | The amount of encrypted data possible in a single invocation of | |||
| AEAD_CHACHA20_POLY1305 is 2^32-1 blocks of 64 octets each, because of | AEAD_CHACHA20_POLY1305 is 2^32-1 blocks of 64 octets each, because of | |||
| the size of the block counter field in the ChaCha20 block function. | the size of the block counter field in the ChaCha20 block function. | |||
| This gives a total of 247,877,906,880 octets, which likely ot be | This gives a total of 247,877,906,880 octets, which likely to be | |||
| sufficient to handle the size of any CMS content type. Note that | sufficient to handle the size of any CMS content type. Note that | |||
| ciphertext length field in the authentication buffer will accomodate | ciphertext length field in the authentication buffer will accomodate | |||
| 2^64 octets, which is much larger than necessary. | 2^64 octets, which is much larger than necessary. | |||
| The AEAD_CHACHA20_POLY1305 construction is a novel composition of | The AEAD_CHACHA20_POLY1305 construction is a novel composition of | |||
| ChaCha20 and Poly1305. A security analysis of this composition is | ChaCha20 and Poly1305. A security analysis of this composition is | |||
| given in [PROCTER]. | given in [PROCTER]. | |||
| Implementations must randomly generate content-authenticated- | Implementations must randomly generate content-authenticated- | |||
| encryption keys. The use of inadequate pseudo-random number | encryption keys. The use of inadequate pseudo-random number | |||
| generators (PRNGs) to generate cryptographic keys can result in | generators (PRNGs) to generate cryptographic keys can result in | |||
| little or no security. An attacker may find it much easier to | little or no security. An attacker may find it much easier to | |||
| reproduce the PRNG environment that produced the keys, searching the | reproduce the PRNG environment that produced the keys, searching the | |||
| resulting small set of possibilities, rather than brute force | resulting small set of possibilities, rather than brute force | |||
| searching the whole key space. The generation of quality random | searching the whole key space. The generation of quality random | |||
| numbers is difficult. RFC 4086 [RANDOM] offers important guidance in | numbers is difficult. RFC 4086 [RANDOM] offers important guidance in | |||
| this area. | this area. | |||
| 6. Acknowledgements | 7. Acknowledgements | |||
| Thanks to Jim Schaad for his review and insightful comments. | Thanks to Jim Schaad for his review and insightful comments. | |||
| 7. Normative References | 8. Normative References | |||
| [AUTHENV] Housley, R., "Cryptographic Message Syntax (CMS) | [AUTHENV] Housley, R., "Cryptographic Message Syntax (CMS) | |||
| Authenticated-Enveloped-Data Content Type", RFC 5083, | Authenticated-Enveloped-Data Content Type", RFC 5083, | |||
| November 2007. | November 2007. | |||
| [CMS] Housley, R., "Cryptographic Message Syntax (CMS)", RFC | [CMS] Housley, R., "Cryptographic Message Syntax (CMS)", RFC | |||
| 5652, September 2009. | 5652, September 2009. | |||
| [FORIETF] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF | [FORIETF] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF | |||
| Protocols", RFC 7539, May 2015. | Protocols", RFC 7539, May 2015. | |||
| skipping to change at page 7, line 17 ¶ | skipping to change at page 7, line 17 ¶ | |||
| [X680] ITU-T, "Information technology -- Abstract Syntax Notation | [X680] ITU-T, "Information technology -- Abstract Syntax Notation | |||
| One (ASN.1): Specification of basic notation", ITU-T | One (ASN.1): Specification of basic notation", ITU-T | |||
| Recommendation X.680, 2015. | Recommendation X.680, 2015. | |||
| [X690] ITU-T, "Information technology -- ASN.1 encoding rules: | [X690] ITU-T, "Information technology -- ASN.1 encoding rules: | |||
| Specification of Basic Encoding Rules (BER), Canonical | Specification of Basic Encoding Rules (BER), Canonical | |||
| Encoding Rules (CER) and Distinguished Encoding Rules | Encoding Rules (CER) and Distinguished Encoding Rules | |||
| (DER)", ITU-T Recommendation X.690, 2015. | (DER)", ITU-T Recommendation X.690, 2015. | |||
| 8. Informative References | 9. Informative References | |||
| [AEAD] McGrew, D., "An Interface and Algorithms for Authenticated | [AEAD] McGrew, D., "An Interface and Algorithms for Authenticated | |||
| Encryption", RFC 5116, January 2008. | Encryption", RFC 5116, January 2008. | |||
| [CHACHA] Bernstein, D., "ChaCha, a variant of Salsa20", January | [CHACHA] Bernstein, D., "ChaCha, a variant of Salsa20", January | |||
| 2008, | 2008, | |||
| <http://cr.yp.to/chacha/chacha-20080128.pdf>. | <http://cr.yp.to/chacha/chacha-20080128.pdf>. | |||
| [ESTREAM] Babbage, S., DeCanniere, C., Cantenaut, A., Cid, C., | [ESTREAM] Babbage, S., DeCanniere, C., Cantenaut, A., Cid, C., | |||
| Gilbert, H., Johansson, T., Parker, M., Preneel, B., | Gilbert, H., Johansson, T., Parker, M., Preneel, B., | |||
| End of changes. 10 change blocks. | ||||
| 11 lines changed or deleted | 15 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||