| < draft-ietf-ipsecme-chacha20-poly1305-07.txt | draft-ietf-ipsecme-chacha20-poly1305-08.txt > | |||
|---|---|---|---|---|
| Network Working Group Y. Nir | Network Working Group Y. Nir | |||
| Internet-Draft Check Point | Internet-Draft Check Point | |||
| Intended status: Standards Track May 7, 2015 | Intended status: Standards Track May 14, 2015 | |||
| Expires: November 8, 2015 | Expires: November 15, 2015 | |||
| ChaCha20, Poly1305 and their use in IKE & IPsec | ChaCha20, Poly1305 and their use in IKE & IPsec | |||
| draft-ietf-ipsecme-chacha20-poly1305-07 | draft-ietf-ipsecme-chacha20-poly1305-08 | |||
| Abstract | Abstract | |||
| This document describes the use of the ChaCha20 stream cipher along | This document describes the use of the ChaCha20 stream cipher along | |||
| with the Poly1305 authenticator, combined into an AEAD algorithm for | with the Poly1305 authenticator, combined into an AEAD algorithm for | |||
| the Internet Key Exchange protocol (IKEv2) and for IPsec. | the Internet Key Exchange protocol (IKEv2) and for IPsec. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| skipping to change at page 1, line 32 ¶ | skipping to change at page 1, line 32 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on November 8, 2015. | This Internet-Draft will expire on November 15, 2015. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2015 IETF Trust and the persons identified as the | Copyright (c) 2015 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 47 ¶ | skipping to change at page 2, line 47 ¶ | |||
| the only other widely supported cipher being the much slower 3DES, it | the only other widely supported cipher being the much slower 3DES, it | |||
| is not feasible to re-configure IPsec installations away from AES. | is not feasible to re-configure IPsec installations away from AES. | |||
| [standby-cipher] describes this issue and the need for a standby | [standby-cipher] describes this issue and the need for a standby | |||
| cipher in greater detail. | cipher in greater detail. | |||
| This document proposes the fast and secure ChaCha20 stream cipher as | This document proposes the fast and secure ChaCha20 stream cipher as | |||
| such a standby cipher in an Authenticated Encryption with Associated | such a standby cipher in an Authenticated Encryption with Associated | |||
| Data (AEAD) construction with the Poly1305 authenticator for use with | Data (AEAD) construction with the Poly1305 authenticator for use with | |||
| the Encapsulated Security Protocol (ESP - [RFC4303]) and the Internet | the Encapsulated Security Protocol (ESP - [RFC4303]) and the Internet | |||
| Key Exchange Protocol (IKEv2 - [RFC7296]). The algorithms are | Key Exchange Protocol (IKEv2 - [RFC7296]). The algorithms are | |||
| described in a separate document ([chacha_poly]). This document only | described in a separate document ([RFC7539]). This document only | |||
| describes the IPsec-specific things. | describes the IPsec-specific things. | |||
| 1.1. Conventions Used in This Document | 1.1. Conventions Used in This Document | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| 2. ChaCha20 & Poly1305 for ESP | 2. ChaCha20 & Poly1305 for ESP | |||
| AEAD_CHACHA20_POLY1305 is a combined mode algorithm, or AEAD. The | AEAD_CHACHA20_POLY1305 is a combined mode algorithm, or AEAD. The | |||
| construction follows the AEAD construction in section 2.8 of | construction follows the AEAD construction in section 2.8 of | |||
| [chacha_poly]: | [RFC7539]: | |||
| o The Initialization Vector (IV) is 64-bit, and is used as part of | o The Initialization Vector (IV) is 64-bit, and is used as part of | |||
| the nonce. The IV MUST be unique for each invocation for a | the nonce. The IV MUST be unique for each invocation for a | |||
| particular SA but does not need to be unpredictable. The use of a | particular SA but does not need to be unpredictable. The use of a | |||
| counter or a linear feedback shift register (LFSR) is RECOMMENDED. | counter or a linear feedback shift register (LFSR) is RECOMMENDED. | |||
| o A 32-bit Salt is prepended to the 64-bit IV to form the 96-bit | o A 32-bit Salt is prepended to the 64-bit IV to form the 96-bit | |||
| nonce. The salt is fixed per SA and it is not transmitted as part | nonce. The salt is fixed per SA and it is not transmitted as part | |||
| of the ESP packet. | of the ESP packet. | |||
| o The encryption key is 256-bit. | o The encryption key is 256-bit. | |||
| o The Internet Key Exchange protocol generates a bitstring called | o The Internet Key Exchange protocol generates a bitstring called | |||
| skipping to change at page 4, line 6 ¶ | skipping to change at page 4, line 6 ¶ | |||
| plaintext, no padding should be necessary. However, in keeping with | plaintext, no padding should be necessary. However, in keeping with | |||
| the specification in RFC 4303, the plaintext always has a pad length | the specification in RFC 4303, the plaintext always has a pad length | |||
| octet and a Next Header octet and may require padding bytes so as to | octet and a Next Header octet and may require padding bytes so as to | |||
| align the buffer to an integral multiple of 4 octets. | align the buffer to an integral multiple of 4 octets. | |||
| The same key and nonce, along with a block counter of zero are passed | The same key and nonce, along with a block counter of zero are passed | |||
| to the ChaCha20 block function, and the top 256 bits of the result | to the ChaCha20 block function, and the top 256 bits of the result | |||
| are used as the Poly1305 key. | are used as the Poly1305 key. | |||
| Finally, the Poly1305 function is run on the data to be | Finally, the Poly1305 function is run on the data to be | |||
| authenticated, which is, as specified in section 2.8 of [chacha_poly] | authenticated, which is, as specified in section 2.8 of [RFC7539] a | |||
| a concatenation of the following in the below order: | concatenation of the following in the below order: | |||
| o The Authenticated Additional Data (AAD) - see Section 2.1. | o The Authenticated Additional Data (AAD) - see Section 2.1. | |||
| o Zero-octet padding that rounds the length up to 16 bytes. This is | o Zero-octet padding that rounds the length up to 16 bytes. This is | |||
| 4 or 8 bytes depending on the length of the AAD. | 4 or 8 bytes depending on the length of the AAD. | |||
| o The ciphertext | o The ciphertext | |||
| o Zero octet padding that rounds the total length up to an integral | o Zero octet padding that rounds the total length up to an integral | |||
| multiple of 16 bytes. | multiple of 16 bytes. | |||
| o The length of the additional authenticated data (AAD) in octets | o The length of the additional authenticated data (AAD) in octets | |||
| (as a 64-bit integer encoded in little-endian byte order). | (as a 64-bit integer encoded in little-endian byte order). | |||
| o The length of the ciphertext in octets (as a 64-bit integer | o The length of the ciphertext in octets (as a 64-bit integer | |||
| skipping to change at page 5, line 32 ¶ | skipping to change at page 5, line 32 ¶ | |||
| The most important security consideration in implementing this draft | The most important security consideration in implementing this draft | |||
| is the uniqueness of the nonce used in ChaCha20. The nonce should be | is the uniqueness of the nonce used in ChaCha20. The nonce should be | |||
| selected uniquely for a particular key, but unpredictability of the | selected uniquely for a particular key, but unpredictability of the | |||
| nonce is not required. Counters and LFSRs are both acceptable ways | nonce is not required. Counters and LFSRs are both acceptable ways | |||
| of generating unique nonces. | of generating unique nonces. | |||
| Another issue with implementing these algorithms is avoiding side | Another issue with implementing these algorithms is avoiding side | |||
| channels. This is trivial for ChaCha20, but requires some care for | channels. This is trivial for ChaCha20, but requires some care for | |||
| Poly1305. Considerations for implementations of these algorithms are | Poly1305. Considerations for implementations of these algorithms are | |||
| in the [chacha_poly] document. | in [RFC7539]. | |||
| The Salt value in used nonce construction in ESP and IKEv2 is derived | The Salt value in used nonce construction in ESP and IKEv2 is derived | |||
| from the keystream, same as the encryption key. It is never | from the keystream, same as the encryption key. It is never | |||
| transmitted on the wire, but the security of the algorithm does not | transmitted on the wire, but the security of the algorithm does not | |||
| depend on its secrecy. Thus implementations that keep keys and other | depend on its secrecy. Thus implementations that keep keys and other | |||
| secret material within some security boundary MAY export the Salt | secret material within some security boundary MAY export the Salt | |||
| from the security boundary. This may be useful if the API provided | from the security boundary. This may be useful if the API provided | |||
| by the library accepts the nonce as parameter rather than the IV. | by the library accepts the nonce as parameter rather than the IV. | |||
| 6. IANA Considerations | 6. IANA Considerations | |||
| skipping to change at page 6, line 35 ¶ | skipping to change at page 6, line 35 ¶ | |||
| [RFC5282] Black, D. and D. McGrew, "Using Authenticated Encryption | [RFC5282] Black, D. and D. McGrew, "Using Authenticated Encryption | |||
| Algorithms with the Encrypted Payload of the Internet Key | Algorithms with the Encrypted Payload of the Internet Key | |||
| Exchange version 2 (IKEv2) Protocol", RFC 5282, August | Exchange version 2 (IKEv2) Protocol", RFC 5282, August | |||
| 2008. | 2008. | |||
| [RFC7296] Kivinen, T., Kaufman, C., Hoffman, P., Nir, Y., and P. | [RFC7296] Kivinen, T., Kaufman, C., Hoffman, P., Nir, Y., and P. | |||
| Eronen, "Internet Key Exchange Protocol Version 2 | Eronen, "Internet Key Exchange Protocol Version 2 | |||
| (IKEv2)", RFC 7296, October 2014. | (IKEv2)", RFC 7296, October 2014. | |||
| [chacha_poly] | [RFC7539] Langley, A. and Y. Nir, "ChaCha20 and Poly1305 for IETF | |||
| Langley, A. and Y. Nir, "ChaCha20 and Poly1305 for IETF | protocols", RFC 7539, May 2015. | |||
| protocols", draft-nir-cfrg-chacha20-poly1305-01 (work in | ||||
| progress), January 2014. | ||||
| 8.2. Informative References | 8.2. Informative References | |||
| [AE] Bellare, M. and C. Namprempre, "Authenticated Encryption: | [AE] Bellare, M. and C. Namprempre, "Authenticated Encryption: | |||
| Relations among notions and analysis of the generic | Relations among notions and analysis of the generic | |||
| composition paradigm", 2000, | composition paradigm", 2000, | |||
| <http://cseweb.ucsd.edu/~mihir/papers/oem.html>. | <http://cseweb.ucsd.edu/~mihir/papers/oem.html>. | |||
| [FIPS-197] | [FIPS-197] | |||
| National Institute of Standards and Technology, "Advanced | National Institute of Standards and Technology, "Advanced | |||
| End of changes. 8 change blocks. | ||||
| 13 lines changed or deleted | 11 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||