| < draft-ietf-curdle-cms-chacha20-poly1305-04.txt | draft-ietf-curdle-cms-chacha20-poly1305-05.txt > | |||
|---|---|---|---|---|
| Internet-Draft R. Housley | Internet-Draft R. Housley | |||
| Intended status: Standards Track Vigil Security | Intended status: Standards Track Vigil Security | |||
| Expires: 1 June 2017 1 December 2016 | Expires: 6 July 2017 6 January 2017 | |||
| Using ChaCha20-Poly1305 Authenticated Encryption | Using ChaCha20-Poly1305 Authenticated Encryption | |||
| in the Cryptographic Message Syntax (CMS) | in the Cryptographic Message Syntax (CMS) | |||
| <draft-ietf-curdle-cms-chacha20-poly1305-04.txt> | <draft-ietf-curdle-cms-chacha20-poly1305-05.txt> | |||
| Abstract | Abstract | |||
| This document describes the conventions for using ChaCha20-Poly1305 | This document describes the conventions for using ChaCha20-Poly1305 | |||
| Authenticated Encryption in the Cryptographic Message Syntax (CMS). | Authenticated Encryption in the Cryptographic Message Syntax (CMS). | |||
| ChaCha20-Poly1305 is an authenticated encryption algorithm | ChaCha20-Poly1305 is an authenticated encryption algorithm | |||
| constructed of the ChaCha stream cipher and Poly1305 authenticator. | constructed of the ChaCha stream cipher and Poly1305 authenticator. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 34 ¶ | skipping to change at page 1, line 34 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 1 June 2017. | This Internet-Draft will expire on 6 July 2017. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2016 IETF Trust and the persons identified as the | Copyright (c) 2016 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| 1. Introduction | 1. Introduction | |||
| This document specifies the conventions for using the | This document specifies the conventions for using ChaCha20-Poly1305 | |||
| ChaCha20-Poly1305 Authenticated Encryption as the content- | Authenticated Encryption with the Cryptographic Message Syntax (CMS) | |||
| authenticated-encryption algorithm with the Cryptographic Message | [CMS] authenticated-enveloped-data content type [AUTHENV]. | |||
| Syntax (CMS) [CMS] authenticated-enveloped-data content type | ||||
| [AUTHENV]. | ||||
| ChaCha [CHACHA] is a stream cipher developed by D. J. Bernstein in | ChaCha [CHACHA] is a stream cipher developed by D. J. Bernstein in | |||
| 2008. It is a refinement of Salsa20, which is one of the ciphers in | 2008. It is a refinement of Salsa20, which is one of the ciphers in | |||
| the eSTREAM portfolio [ESTREAM]. | the eSTREAM portfolio [ESTREAM]. | |||
| ChaCha20 is the 20-round variant of ChaCha; it requires a 256-bit key | ChaCha20 is the 20-round variant of ChaCha; it requires a 256-bit key | |||
| and a 96-bit nonce. ChaCha20 is described in [FORIETF]. | and a 96-bit nonce. [FORIETF] provides a detailed algorithm | |||
| description, examples, and test vectors of ChaCha20. | ||||
| Poly1305 [POLY1305] is a Wegman-Carter, one-time authenticator | Poly1305 [POLY1305] is a Wegman-Carter, one-time authenticator | |||
| designed by D. J. Bernstein. Poly1305 produces a 16-byte | designed by D. J. Bernstein. Poly1305 produces a 16-byte | |||
| authentication tag; it requires a 256-bit, single-use key. Poly1305 | authentication tag; it requires a 256-bit, single-use key. [FORIETF] | |||
| is also described in [FORIETF]. | also provides a detailed algorithm description, examples, and test | |||
| vectors of Poly1305. | ||||
| ChaCha20 and Poly1305 have been designed for high performance | ChaCha20 and Poly1305 have been designed for high performance | |||
| software implementations. They can typically be implemented with few | software implementations. They can typically be implemented with few | |||
| resources and inexpensive operations, making them suitable on a wide | resources and inexpensive operations, making them suitable on a wide | |||
| range of systems. They have also been designed to minimize leakage | range of systems. They have also been designed to minimize leakage | |||
| of information through side channels. | of information through side channels. | |||
| 1.1. The ChaCha20 and Poly1305 AEAD Construction | 1.1. The ChaCha20 and Poly1305 AEAD Construction | |||
| ChaCha20 and Poly1305 have been combined to create an Authenticated | ChaCha20 and Poly1305 have been combined to create an Authenticated | |||
| skipping to change at page 4, line 15 ¶ | skipping to change at page 4, line 15 ¶ | |||
| 3. Using the AEAD_CHACHA20_POLY1305 Algorithm with AuthEnvelopedData | 3. Using the AEAD_CHACHA20_POLY1305 Algorithm with AuthEnvelopedData | |||
| This section specifies the conventions employed by CMS | This section specifies the conventions employed by CMS | |||
| implementations that support the authenticated-enveloped-data content | implementations that support the authenticated-enveloped-data content | |||
| type and the AEAD_CHACHA20_POLY1305 algorithm. | type and the AEAD_CHACHA20_POLY1305 algorithm. | |||
| The AEAD_CHACHA20_POLY1305 algorithm identifier is located in the | The AEAD_CHACHA20_POLY1305 algorithm identifier is located in the | |||
| AuthEnvelopedData EncryptedContentInfo contentEncryptionAlgorithm | AuthEnvelopedData EncryptedContentInfo contentEncryptionAlgorithm | |||
| field. | field. | |||
| The AEAD_CHACHA20_POLY1305 algorithm is used to encipher the content | The AEAD_CHACHA20_POLY1305 algorithm is used to authenticate the | |||
| located in the AuthEnvelopedData EncryptedContentInfo | attributes located in the AuthEnvelopedData authAttrs field, if any | |||
| encryptedContent field and to provide the message authentication code | are present, encipher the content located in the AuthEnvelopedData | |||
| (MAC) located in the AuthEnvelopedData mac field. The ciphertext and | EncryptedContentInfo encryptedContent field, and to provide the | |||
| the MAC are the two outputs of the AEAD_CHACHA20_POLY1305 Algorithm. | message authentication code (MAC) located in the AuthEnvelopedData | |||
| Note that the MAC, which is called the authentication tag in | mac field. The authenticated attributes are DER encoded to produce | |||
| [FORIETF], provides integrity protection for both the | the AAD input value to the AEAD_CHACHA20_POLY1305 algorithm. The | |||
| AuthEnvelopedData authAttrs and the AuthEnvelopedData | ciphertext and the MAC are the two outputs of the | |||
| AEAD_CHACHA20_POLY1305 algorithm. Note that the MAC, which is called | ||||
| the authentication tag in [FORIETF], provides integrity protection | ||||
| for both the AuthEnvelopedData authAttrs and the AuthEnvelopedData | ||||
| EncryptedContentInfo encryptedContent. | EncryptedContentInfo encryptedContent. | |||
| Neither the plaintext content nor the optional AAD inputs need to be | Neither the plaintext content nor the optional AAD inputs need to be | |||
| padded prior to invoking the AEAD_CHACHA20_POLY1305 algorithm. | padded prior to invoking the AEAD_CHACHA20_POLY1305 algorithm. | |||
| There is one algorithm identifier for the AEAD_CHACHA20_POLY1305 | There is one algorithm identifier for the AEAD_CHACHA20_POLY1305 | |||
| algorithm: | algorithm: | |||
| id-alg-AEADChaCha20Poly1305 OBJECT IDENTIFIER ::= | id-alg-AEADChaCha20Poly1305 OBJECT IDENTIFIER ::= | |||
| { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) | { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) | |||
| skipping to change at page 6, line 27 ¶ | skipping to change at page 6, line 30 ¶ | |||
| generators (PRNGs) to generate cryptographic keys can result in | generators (PRNGs) to generate cryptographic keys can result in | |||
| little or no security. An attacker may find it much easier to | little or no security. An attacker may find it much easier to | |||
| reproduce the PRNG environment that produced the keys, searching the | reproduce the PRNG environment that produced the keys, searching the | |||
| resulting small set of possibilities, rather than brute force | resulting small set of possibilities, rather than brute force | |||
| searching the whole key space. The generation of quality random | searching the whole key space. The generation of quality random | |||
| numbers is difficult. RFC 4086 [RANDOM] offers important guidance in | numbers is difficult. RFC 4086 [RANDOM] offers important guidance in | |||
| this area. | this area. | |||
| 7. Acknowledgements | 7. Acknowledgements | |||
| Thanks to Jim Schaad, Daniel Migault, and Stephen Farrell for their | Thanks to Jim Schaad, Daniel Migault, Stephen Farrell, Yoav Nir, and | |||
| review and insightful comments. | Niclas Comstedt for their review and insightful comments. | |||
| 8. Normative References | 8. Normative References | |||
| [AUTHENV] Housley, R., "Cryptographic Message Syntax (CMS) | [AUTHENV] Housley, R., "Cryptographic Message Syntax (CMS) | |||
| Authenticated-Enveloped-Data Content Type", RFC 5083, | Authenticated-Enveloped-Data Content Type", RFC 5083, | |||
| November 2007. | November 2007. | |||
| [CMS] Housley, R., "Cryptographic Message Syntax (CMS)", RFC | [CMS] Housley, R., "Cryptographic Message Syntax (CMS)", RFC | |||
| 5652, September 2009. | 5652, September 2009. | |||
| End of changes. 8 change blocks. | ||||
| 21 lines changed or deleted | 24 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||