| < draft-ietf-ipsecme-esp-ah-reqts-00.txt | draft-ietf-ipsecme-esp-ah-reqts-01.txt > | |||
|---|---|---|---|---|
| Internet Engineering Task Force D. McGrew | Network Working Group D. McGrew | |||
| Internet-Draft Cisco Systems | Internet-Draft Cisco Systems | |||
| Intended status: Standards Track W. Feghali | Intended status: Standards Track W. Feghali | |||
| Expires: September 12, 2013 Intel Corp. | Expires: March 10, 2014 Intel Corp. | |||
| March 11, 2013 | P. Hoffman | |||
| VPN Consortium | ||||
| September 06, 2013 | ||||
| Cryptographic Algorithm Implementation Requirements and Usage Guidance | Cryptographic Algorithm Implementation Requirements and Usage Guidance | |||
| for Encapsulating Security Payload (ESP) and Authentication Header (AH) | for Encapsulating Security Payload (ESP) and Authentication Header (AH) | |||
| draft-ietf-ipsecme-esp-ah-reqts-00 | draft-ietf-ipsecme-esp-ah-reqts-01 | |||
| Abstract | Abstract | |||
| This Internet Draft is standards track proposal to update to the | This Internet Draft is standards track proposal to update to the | |||
| Cryptographic Algorithm Implementation Requirements for ESP and AH; | Cryptographic Algorithm Implementation Requirements for ESP and AH; | |||
| it also adds usage guidance to help in the selection of these | it also adds usage guidance to help in the selection of these | |||
| algorithms. | algorithms. | |||
| The Encapsulating Security Payload (ESP) and Authentication Header | The Encapsulating Security Payload (ESP) and Authentication Header | |||
| (AH) protocols makes use of various cryptographic algorithms to | (AH) protocols makes use of various cryptographic algorithms to | |||
| skipping to change at page 1, line 34 ¶ | skipping to change at page 1, line 36 ¶ | |||
| architecture. To ensure interoperability between disparate | architecture. To ensure interoperability between disparate | |||
| implementations, the IPsec standard specifies a set of mandatory-to- | implementations, the IPsec standard specifies a set of mandatory-to- | |||
| implement algorithms. This document specifies the current set of | implement algorithms. This document specifies the current set of | |||
| mandatory-to-implement algorithms for ESP and AH, specifies | mandatory-to-implement algorithms for ESP and AH, specifies | |||
| algorithms that should be implemented because they may be promoted to | algorithms that should be implemented because they may be promoted to | |||
| mandatory at some future time, and also recommends against the | mandatory at some future time, and also recommends against the | |||
| implementation of some obsolete algorithms. Usage guidance is also | implementation of some obsolete algorithms. Usage guidance is also | |||
| provided to help the user of ESP and AH best achieve their security | provided to help the user of ESP and AH best achieve their security | |||
| goals through appropriate choices of cryptographic algorithms. | goals through appropriate choices of cryptographic algorithms. | |||
| Status of this Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on March 10, 2014. | ||||
| This Internet-Draft will expire on September 12, 2013. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2013 IETF Trust and the persons identified as the | Copyright (c) 2013 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | |||
| 1.2. Document History . . . . . . . . . . . . . . . . . . . . . 4 | 2. Implementation Requirements . . . . . . . . . . . . . . . . . 4 | |||
| 2. Implementation Requirements . . . . . . . . . . . . . . . . . 5 | 2.1. ESP Authenticated Encryption (Combined Mode Algorithms) . 4 | |||
| 2.1. ESP Authenticated Encryption (Combined Mode Algorithms) . 5 | 2.2. ESP Encryption Algorithms . . . . . . . . . . . . . . . . 4 | |||
| 2.2. ESP Encryption Algorithms . . . . . . . . . . . . . . . . 5 | 2.3. ESP Authentication Algorithms . . . . . . . . . . . . . . 4 | |||
| 2.3. ESP Authentication Algorithms . . . . . . . . . . . . . . 5 | 2.4. AH Authentication Algorithms . . . . . . . . . . . . . . 5 | |||
| 2.4. AH Authentication Algorithms . . . . . . . . . . . . . . . 5 | 2.5. Summary of Changes . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.5. Summary of Changes . . . . . . . . . . . . . . . . . . . . 5 | 3. Usage Guidance . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3. Usage Guidance . . . . . . . . . . . . . . . . . . . . . . . . 7 | 4. Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4. Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . 8 | 4.1. Authenticated Encryption . . . . . . . . . . . . . . . . 6 | |||
| 4.1. Authenticated Encryption . . . . . . . . . . . . . . . . . 8 | 4.2. Encryption Transforms . . . . . . . . . . . . . . . . . . 6 | |||
| 4.2. Encryption Transforms . . . . . . . . . . . . . . . . . . 8 | 4.3. Authentication Transforms . . . . . . . . . . . . . . . . 7 | |||
| 4.3. Authentication Transforms . . . . . . . . . . . . . . . . 9 | 5. Algorithm Diversity . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 5. Algorithm Diversity . . . . . . . . . . . . . . . . . . . . . 10 | 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 13 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 9 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . . 14 | 9.2. Informative References . . . . . . . . . . . . . . . . . 10 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . . 14 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 17 | ||||
| 1. Introduction | 1. Introduction | |||
| The Encapsulating Security Payload (ESP) [RFC4303] and the | The Encapsulating Security Payload (ESP) [RFC4303] and the | |||
| Authentication Header (AH) [RFC4302] are the mechanisms for applying | Authentication Header (AH) [RFC4302] are the mechanisms for applying | |||
| cryptographic protection to data being sent over an IPsec Security | cryptographic protection to data being sent over an IPsec Security | |||
| Association (SA) [RFC4301]. | Association (SA) [RFC4301]. | |||
| To ensure interoperability between disparate implementations, it is | To ensure interoperability between disparate implementations, it is | |||
| necessary to specify a set of mandatory-to-implement algorithms. | necessary to specify a set of mandatory-to-implement algorithms. | |||
| skipping to change at page 4, line 20 ¶ | skipping to change at page 4, line 13 ¶ | |||
| future time to be a MUST. | future time to be a MUST. | |||
| SHOULD- This term means the same as SHOULD. However, it is likely | SHOULD- This term means the same as SHOULD. However, it is likely | |||
| that an algorithm marked as SHOULD- will be deprecated to a MAY or | that an algorithm marked as SHOULD- will be deprecated to a MAY or | |||
| worse in a future version of this document. | worse in a future version of this document. | |||
| SHOULD NOT+ This term means the same as SHOULD NOT. However, it is | SHOULD NOT+ This term means the same as SHOULD NOT. However, it is | |||
| likely that an algorithm marked as SHOULD NOT+ will be deprecated | likely that an algorithm marked as SHOULD NOT+ will be deprecated | |||
| to a MUST NOT in a future version of this document. | to a MUST NOT in a future version of this document. | |||
| 1.2. Document History | ||||
| This is the initial version of this draft. It is based on an earlier | ||||
| individual submission [draft-mcgrew-ipsec-me-esp-ah-reqts], and | ||||
| incorporates feedback provided during the last IPsec ME meeting at | ||||
| IETF85. Triple-DES is now a MAY (instead of SHOULD NOT) and HMAC-MD5 | ||||
| is now ignored (instead of a SHOULD NOT), and "MAY" is no longer | ||||
| called out, except for algorithms that were previously listed as | ||||
| SHOULD, SHOULD+, or MUST. | ||||
| This revision also adds a section discussing algorithm diversity, and | ||||
| references to new work on the selection of future cryptographic | ||||
| standards [draft-mcgrew-standby-cipher] and technical work showing | ||||
| the insecurity of 64-bit block ciphers (such as the Triple-DES | ||||
| algorithm) used to encrypt more than a gigabyte of data [M13]. | ||||
| 2. Implementation Requirements | 2. Implementation Requirements | |||
| This section specifies the cryptographic algorithms that MUST be | This section specifies the cryptographic algorithms that MUST be | |||
| implemented, and provides guidance about ones that SHOULD or SHOULD | implemented, and provides guidance about ones that SHOULD or SHOULD | |||
| NOT be implemented. | NOT be implemented. | |||
| 2.1. ESP Authenticated Encryption (Combined Mode Algorithms) | 2.1. ESP Authenticated Encryption (Combined Mode Algorithms) | |||
| ESP combined mode algorithms provide both confidentiality and | ESP combined mode algorithms provide both confidentiality and | |||
| authentication services; in cryptographic terms, these are | authentication services; in cryptographic terms, these are | |||
| authenticated encryption algorithms [RFC5116]. Authenticated | authenticated encryption algorithms [RFC5116]. Authenticated | |||
| encryption transforms are listed in the ESP encryption transforms | encryption transforms are listed in the ESP encryption transforms | |||
| IANA registry. | IANA registry. | |||
| Requirement Authenticated Encryption Algorithm | Requirement Authenticated Encryption Algorithm | |||
| ----------- ---------------------------------- | ----------- ---------------------------------- | |||
| SHOULD+ AES-GCM [RFC4106] | SHOULD+ AES-GCM [RFC4106] | |||
| MAY AES-CCM [RFC4309] | MAY AES-CCM [RFC4309] | |||
| 2.2. ESP Encryption Algorithms | 2.2. ESP Encryption Algorithms | |||
| Requirement Encryption Algorithm | Requirement Encryption Algorithm | |||
| ----------- -------------------------- | ----------- -------------------------- | |||
| MUST NULL [RFC2410] | MUST NULL [RFC2410] | |||
| MUST AES-128-CBC [RFC3602] | MUST AES-128-CBC [RFC3602] | |||
| MAY AES-CTR [RFC3686] | MAY AES-CTR [RFC3686] | |||
| MAY TripleDES-CBC [RFC2451] | MAY TripleDES-CBC [RFC2451] | |||
| SHOULD NOT+ DES-CBC [RFC2405] | SHOULD NOT+ DES-CBC [RFC2405] | |||
| 2.3. ESP Authentication Algorithms | 2.3. ESP Authentication Algorithms | |||
| Requirement Authentication Algorithm (notes) | Requirement Authentication Algorithm (notes) | |||
| ----------- ----------------------------- | ----------- ----------------------------- | |||
| MUST HMAC-SHA1-96 [RFC2404] | MUST HMAC-SHA1-96 [RFC2404] | |||
| SHOULD+ AES-GMAC [RFC4543] | SHOULD+ AES-GMAC [RFC4543] | |||
| SHOULD AES-XCBC-MAC-96 [RFC3566] | SHOULD AES-XCBC-MAC-96 [RFC3566] | |||
| MAY NULL [RFC4303] | MAY NULL [RFC4303] | |||
| 2.4. AH Authentication Algorithms | 2.4. AH Authentication Algorithms | |||
| The requirements for AH are the same as for ESP Authentication | The requirements for AH are the same as for ESP Authentication | |||
| Algorithms, except that NULL authentication is inapplicable. | Algorithms, except that NULL authentication is inapplicable. | |||
| 2.5. Summary of Changes | 2.5. Summary of Changes | |||
| Old New | ||||
| Requirement Requirement Algorithm (notes) | Old New | |||
| ---- ----------- ----------------- | Requirement Requirement Algorithm (notes) | |||
| MAY SHOULD+ AES-GCM [RFC4106] | ---- ----------- ----------------- | |||
| MAY SHOULD+ AES-GMAC [RFC4543] | MAY SHOULD+ AES-GCM [RFC4106] | |||
| MUST- MAY TripleDES-CBC [RFC2451] | MAY SHOULD+ AES-GMAC [RFC4543] | |||
| SHOULD+ SHOULD AES-XCBC-MAC-96 [RFC3566] | MUST- MAY TripleDES-CBC [RFC2451] | |||
| SHOULD MAY AES-CTR [RFC3686] | SHOULD+ SHOULD AES-XCBC-MAC-96 [RFC3566] | |||
| SHOULD MAY AES-CTR [RFC3686] | ||||
| 3. Usage Guidance | 3. Usage Guidance | |||
| Since ESP and AH can be used in several different ways, this note | Since ESP and AH can be used in several different ways, this document | |||
| provides guidance on the best way to utilize these mechanisms. | provides guidance on the best way to utilize these mechanisms. | |||
| ESP can provide confidentiality, data origin authentication, or the | ESP can provide confidentiality, data origin authentication, or the | |||
| combination of both of those security services. AH provides only | combination of both of those security services. AH provides only | |||
| data origin authentication. Background information on those security | data origin authentication. Background information on those security | |||
| services is available [RFC4949]. In the following, we shorten `data | services is available [RFC4949]. In the following, we shorten `data | |||
| origin authentication' to `authentication'. | origin authentication' to `authentication'. | |||
| Both confidentiality and authentication SHOULD be provided. If | Both confidentiality and authentication SHOULD be provided. If | |||
| confidentiality is not needed, then authentication MAY be provided. | confidentiality is not needed, then authentication MAY be provided. | |||
| skipping to change at page 8, line 12 ¶ | skipping to change at page 6, line 22 ¶ | |||
| "birthday bound" [M13]. Triple-DES CBC is listed as a MAY implement | "birthday bound" [M13]. Triple-DES CBC is listed as a MAY implement | |||
| for the sake of backwards compatibility, but its use is discouraged. | for the sake of backwards compatibility, but its use is discouraged. | |||
| 4. Rationale | 4. Rationale | |||
| This section explains the principles behind the implementation | This section explains the principles behind the implementation | |||
| requirements described above. | requirements described above. | |||
| The algorithms listed as MAY-implement are not meant to be endorsed | The algorithms listed as MAY-implement are not meant to be endorsed | |||
| over other non-standard alternatives. All of the algorithms that | over other non-standard alternatives. All of the algorithms that | |||
| appeared in [RFC4835] are included in this note, for the sake of | appeared in [RFC4835] are included in this document, for the sake of | |||
| continuity. In some cases, these algorithms have moved from being | continuity. In some cases, these algorithms have moved from being | |||
| SHOULD-implement to MAY-implement algorithms. | SHOULD-implement to MAY-implement algorithms. | |||
| 4.1. Authenticated Encryption | 4.1. Authenticated Encryption | |||
| This note encourages the use of authenticated encryption algorithms | This document encourages the use of authenticated encryption | |||
| because they can provide significant efficiency and throughput | algorithms because they can provide significant efficiency and | |||
| advantages, and the tight binding between authentication and | throughput advantages, and the tight binding between authentication | |||
| encryption can be a security advantage [RFC5116]. | and encryption can be a security advantage [RFC5116]. | |||
| AES-GCM [RFC4106] brings significant performance benefits [KKGEGD], | AES-GCM [RFC4106] brings significant performance benefits [KKGEGD], | |||
| has been incorporated into IPsec recommendations [RFC6379] and has | has been incorporated into IPsec recommendations [RFC6379] and has | |||
| emerged as the preferred authenticated encryption method in IPsec and | emerged as the preferred authenticated encryption method in IPsec and | |||
| other standards. | other standards. | |||
| 4.2. Encryption Transforms | 4.2. Encryption Transforms | |||
| Since ESP encryption is optional, support for the "NULL" algorithm is | Since ESP encryption is optional, support for the "NULL" algorithm is | |||
| required to maintain consistency with the way services are | required to maintain consistency with the way services are | |||
| negotiated. Note that while authentication and encryption can each | negotiated. Note that while authentication and encryption can each | |||
| be "NULL", they MUST NOT both be "NULL" [RFC4301] [H10]. | be "NULL", they MUST NOT both be "NULL" [RFC4301] [H10]. | |||
| AES Counter Mode (AES-CTR) is an efficient encryption method, but it | AES Counter Mode (AES-CTR) is an efficient encryption method, but it | |||
| provides no authentication capability. The AES-GCM authenticated | provides no authentication capability. The AES-GCM authenticated | |||
| encryption method has all of the advantages of AES-CTR, while also | encryption method has all of the advantages of AES-CTR, while also | |||
| providing authentication. Thus this note moves AES-CTR from a SHOULD | providing authentication. Thus this document moves AES-CTR from a | |||
| to a MAY. | SHOULD to a MAY. | |||
| The Triple Data Encryption Standard (TDES) is obsolete because of its | The Triple Data Encryption Standard (TDES) is obsolete because of its | |||
| small block size; as with all 64-bit block ciphers, it SHOULD NOT be | small block size; as with all 64-bit block ciphers, it SHOULD NOT be | |||
| used to encrypt more than one gigabyte of data with a single key | used to encrypt more than one gigabyte of data with a single key | |||
| [M13]. Its key size is smaller than that of the Advanced Encryption | [M13]. Its key size is smaller than that of the Advanced Encryption | |||
| Standard (AES), while at the same time its performance and efficiency | Standard (AES), while at the same time its performance and efficiency | |||
| is worse. Thus, its use in new implementations is discouraged. | is worse. Thus, its use in new implementations is discouraged. | |||
| The Data Encryption Standard (DES) is obsolete because of its small | The Data Encryption Standard (DES) is obsolete because of its small | |||
| key size and small block size. There have been publicly demonstrated | key size and small block size. There have been publicly demonstrated | |||
| skipping to change at page 9, line 26 ¶ | skipping to change at page 7, line 38 ¶ | |||
| code does not seem to have a practical vulnerability. Thus, it may | code does not seem to have a practical vulnerability. Thus, it may | |||
| not be urgent to remove HMAC-MD5 from the existing protocols. | not be urgent to remove HMAC-MD5 from the existing protocols. | |||
| SHA-1 has been found to not meet its goal of collision resistance. | SHA-1 has been found to not meet its goal of collision resistance. | |||
| However, HMAC-SHA-1 does not rely on this property, and HMAC-SHA-1 is | However, HMAC-SHA-1 does not rely on this property, and HMAC-SHA-1 is | |||
| believed to be secure. | believed to be secure. | |||
| The HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 are believed to | The HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 are believed to | |||
| provide a good security margin, and they perform adequately on many | provide a good security margin, and they perform adequately on many | |||
| platforms. However, these algorithms are not recommended for | platforms. However, these algorithms are not recommended for | |||
| implementation in this note, because HMAC-SHA-1 support is widespread | implementation in this document, because HMAC-SHA-1 support is | |||
| and its security is good, AES-GMAC provides good security with better | widespread and its security is good, AES-GMAC provides good security | |||
| performance, and Authenticated Encryption algorithms do not need any | with better performance, and Authenticated Encryption algorithms do | |||
| authentication methods. | not need any authentication methods. | |||
| AES-XCBC has not seen widespread deployment, despite being previously | AES-XCBC has not seen widespread deployment, despite being previously | |||
| being recommended as a SHOULD+ in RFC4305. Thus this draft lists it | being recommended as a SHOULD+ in RFC4305. Thus this draft lists it | |||
| only as a SHOULD. | only as a SHOULD. | |||
| 5. Algorithm Diversity | 5. Algorithm Diversity | |||
| When the AES cipher was first adopted, it was decided to continue | When the AES cipher was first adopted, it was decided to continue | |||
| encouraging the implementation of Triple-DES, in order to provide | encouraging the implementation of Triple-DES, in order to provide | |||
| algorithm diversity. But the passage of time has eroded the | algorithm diversity. But the passage of time has eroded the | |||
| skipping to change at page 10, line 21 ¶ | skipping to change at page 8, line 14 ¶ | |||
| block cipher, its security is inadequate at high data rates (see | block cipher, its security is inadequate at high data rates (see | |||
| Section 4.2). Its performance in software and FPGAs is considerably | Section 4.2). Its performance in software and FPGAs is considerably | |||
| worse than that of AES. Since it would not be possible to use | worse than that of AES. Since it would not be possible to use | |||
| Triple-DES as an alternative to AES in high data rate environments, | Triple-DES as an alternative to AES in high data rate environments, | |||
| or in environments where its performance could not keep up the | or in environments where its performance could not keep up the | |||
| requirements, the rationale of retaining Triple-DES to provide | requirements, the rationale of retaining Triple-DES to provide | |||
| algorithm diversity is disappearing. (Of course, this does not | algorithm diversity is disappearing. (Of course, this does not | |||
| change the rationale of retaining Triple-DES in IPsec implementations | change the rationale of retaining Triple-DES in IPsec implementations | |||
| for backwards compability.) | for backwards compability.) | |||
| It may be prudent to begin considering the selection of a different | Recent discussions in the IETF have started considering how to make | |||
| cipher that could provide algorithm diversity in IPsec and other IETF | the selection of a different cipher that could provide algorithm | |||
| standards. There are many important criteria to consider, which are | diversity in IPsec and other IETF standards. That work is expected | |||
| out of scope for this note. These issues have been taken up in | to take a long time and involve discussions among many participants | |||
| recent work [draft-mcgrew-standby-cipher]. | and organizations. | |||
| It is important to bear in mind that it is very highly unlikely that | It is important to bear in mind that it is very highly unlikely that | |||
| an exploitable flaw will be found in AES (e.g., a flaw that required | an exploitable flaw will be found in AES (e.g., a flaw that required | |||
| less than a terabyte of known plaintext, when AES is used in a | less than a terabyte of known plaintext, when AES is used in a | |||
| conventional mode of operation). The only reason that algorithm | conventional mode of operation). The only reason that algorithm | |||
| diversity deserves any consideration is because the problems that | diversity deserves any consideration is because the problems that | |||
| would be caused if such a flaw were found would be so large. | would be caused if such a flaw were found would be so large. | |||
| 6. Acknowledgements | 6. Acknowledgements | |||
| skipping to change at page 12, line 7 ¶ | skipping to change at page 8, line 40 ¶ | |||
| document of this document. That RFC itself borrows from [RFC4305], | document of this document. That RFC itself borrows from [RFC4305], | |||
| which borrows in turn from [RFC4307]. RFC4835, RFC4305, and RFC4307 | which borrows in turn from [RFC4307]. RFC4835, RFC4305, and RFC4307 | |||
| were authored by Vishwas Manral, Donald Eastlake, and Jeffrey | were authored by Vishwas Manral, Donald Eastlake, and Jeffrey | |||
| Schiller respectively. | Schiller respectively. | |||
| Thanks are due to Scott Fluhrer, Dan Harkins, Brian Weis, and Cheryl | Thanks are due to Scott Fluhrer, Dan Harkins, Brian Weis, and Cheryl | |||
| Madson for insightful feedback on this draft. | Madson for insightful feedback on this draft. | |||
| 7. IANA Considerations | 7. IANA Considerations | |||
| This memo includes no request to IANA. | None. | |||
| 8. Security Considerations | 8. Security Considerations | |||
| The security of a system that uses cryptography depends on both the | The security of a system that uses cryptography depends on both the | |||
| strength of the cryptographic algorithms chosen and the strength of | strength of the cryptographic algorithms chosen and the strength of | |||
| the keys used with those algorithms. The security also depends on | the keys used with those algorithms. The security also depends on | |||
| the engineering and administration of the protocol used by the system | the engineering and administration of the protocol used by the system | |||
| to ensure that there are no non-cryptographic ways to bypass the | to ensure that there are no non-cryptographic ways to bypass the | |||
| security of the overall system. | security of the overall system. | |||
| skipping to change at page 14, line 13 ¶ | skipping to change at page 9, line 24 ¶ | |||
| this area. | this area. | |||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC2403] Madson, C. and R. Glenn, "The Use of HMAC-MD5-96 within | [RFC2403] Madson, C. and R. Glenn, "The Use of HMAC-MD5-96 within | |||
| ESP and AH", 1998. | ESP and AH", RFC 2403, November 1998. | |||
| [RFC2404] Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96 within | [RFC2404] Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96 within | |||
| ESP and AH", 1998. | ESP and AH", RFC 2404, November 1998. | |||
| [RFC2405] Madson, C. and N. Doraswamy, "The ESP DES-CBC Cipher | [RFC2405] Madson, C. and N. Doraswamy, "The ESP DES-CBC Cipher | |||
| Algorithm With Explicit IV", 1998. | Algorithm With Explicit IV", RFC 2405, November 1998. | |||
| [RFC2410] Glenn, R. and S. Kent, "The NULL Encryption Algorithm and | [RFC2410] Glenn, R. and S. Kent, "The NULL Encryption Algorithm and | |||
| Its Use With IPsec", 1998. | Its Use With IPsec", RFC 2410, November 1998. | |||
| [RFC3566] Frankel, S. and H. Herbert, "The AES-XCBC-MAC-96 Algorithm | [RFC3566] Frankel, S. and H. Herbert, "The AES-XCBC-MAC-96 Algorithm | |||
| and Its Use With IPsec", 2003. | and Its Use With IPsec", RFC 3566, September 2003. | |||
| [RFC3602] Frankel, S., Glenn, R., and S. Kelly, "The AES-CBC Cipher | [RFC3602] Frankel, S., Glenn, R., and S. Kelly, "The AES-CBC Cipher | |||
| Algorithm and Its Use with IPsec", 2003. | Algorithm and Its Use with IPsec", RFC 3602, September | |||
| 2003. | ||||
| [RFC3686] Housley, R., "Using Advanced Encryption Standard (AES) | [RFC3686] Housley, R., "Using Advanced Encryption Standard (AES) | |||
| Counter Mode With IPsec Encapsulating Security Payload | Counter Mode With IPsec Encapsulating Security Payload | |||
| (ESP)", 2004. | (ESP)", RFC 3686, January 2004. | |||
| [RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode | [RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode | |||
| (GCM) in IPsec Encapsulating Security Payload (ESP)", | (GCM) in IPsec Encapsulating Security Payload (ESP)", RFC | |||
| 2005. | 4106, June 2005. | |||
| [RFC4301] Kent, S. and K. Seo, "Security Architecture for the | [RFC4301] Kent, S. and K. Seo, "Security Architecture for the | |||
| Internet Protocol", 2005. | Internet Protocol", RFC 4301, December 2005. | |||
| [RFC4302] Kent, S., "IP Authentication Header", 2005. | [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, December | |||
| 2005. | ||||
| [RFC4303] Kent, S., "IP Encapsulating Security Payload", 2005. | [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC | |||
| 4303, December 2005. | ||||
| 9.2. Informative References | 9.2. Informative References | |||
| [B96] Bellovin, S., "Problem areas for the IP security protocols | [B96] Bellovin, S., "Problem areas for the IP security protocols | |||
| (Proceedings of the Sixth Usenix Unix Security | (Proceedings of the Sixth Usenix Unix Security | |||
| Symposium)", 1996. | Symposium)", 1996. | |||
| [DP07] Degabriele, J. and K. Paterson, "Attacking the IPsec | [DP07] Degabriele, J. and K. Paterson, "Attacking the IPsec | |||
| Standards in Encryption-only Configurations (IEEE | Standards in Encryption-only Configurations (IEEE | |||
| Symposium on Privacy and Security)", 2007. | Symposium on Privacy and Security)", 2007. | |||
| [H10] Hoban, A., "Using Intel AES New Instructions and PCLMULQDQ | [H10] Hoban, A., "Using Intel AES New Instructions and PCLMULQDQ | |||
| to Significantly Improve IPSec Performance on Linux", | to Significantly Improve IPSec Performance on Linux ", | |||
| 2010. | 2010. | |||
| [KKGEGD] Kounavis, M., Kang, X., Grewal, K., Eszenyi, M., Gueron, | [KKGEGD] Kounavis, M., Kang, X., Grewal, K., Eszenyi, M., Gueron, | |||
| S., and D. Durham, "Encrypting the Internet (SIGCOMM)", | S., and D. Durham, "Encrypting the Internet (SIGCOMM)", | |||
| 2010. | 2010. | |||
| [M13] McGrew, D., "Impossible plaintext cryptanalysis and | [M13] McGrew, D., "Impossible plaintext cryptanalysis and | |||
| probable-plaintext collision attacks of 64-bit block | probable-plaintext collision attacks of 64-bit block | |||
| cipher modes", 2012. | cipher modes ", 2012. | |||
| [PD10] Paterson, K. and J. Degabriele, "On the (in)security of | [PD10] Paterson, K. and J. Degabriele, "On the (in)security of | |||
| IPsec in MAC-then-encrypt configurations (ACM Conference | IPsec in MAC-then-encrypt configurations (ACM Conference | |||
| on Computer and Communications Security, ACM CCS)", 2010. | on Computer and Communications Security, ACM CCS)", 2010. | |||
| [RFC4305] Eastlake, D., "Cryptographic Algorithm Implementation | [RFC4305] Eastlake, D., "Cryptographic Algorithm Implementation | |||
| Requirements for Encapsulating Security Payload (ESP) and | Requirements for Encapsulating Security Payload (ESP) and | |||
| Authentication Header (AH)". | Authentication Header (AH)", RFC 4305, December 2005. | |||
| [RFC4307] Schiller, J., "Cryptographic Algorithms for Use in the | [RFC4307] Schiller, J., "Cryptographic Algorithms for Use in the | |||
| Internet Key Exchange Version 2 (IKEv2)", 2005. | Internet Key Exchange Version 2 (IKEv2)", RFC 4307, | |||
| December 2005. | ||||
| [RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM | [RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM | |||
| Mode with IPsec Encapsulating Security Payload (ESP)", | Mode with IPsec Encapsulating Security Payload (ESP)", RFC | |||
| 2005. | 4309, December 2005. | |||
| [RFC4835] Manral, V., "Cryptographic Algorithm Implementation | [RFC4835] Manral, V., "Cryptographic Algorithm Implementation | |||
| Requirements for Encapsulating Security Payload (ESP) and | Requirements for Encapsulating Security Payload (ESP) and | |||
| Authentication Header (AH)". | Authentication Header (AH)", RFC 4835, April 2007. | |||
| [RFC4949] Shirley, R., "Internet Security Glossary, Version 2", | [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", RFC | |||
| 2007. | 4949, August 2007. | |||
| [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated | [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated | |||
| Encryption", 2008. | Encryption", RFC 5116, January 2008. | |||
| [RFC6151] Turner, S. and L. Chen, "Updated Security Considerations | [RFC6151] Turner, S. and L. Chen, "Updated Security Considerations | |||
| for the MD5 Message-Digest and the HMAC-MD5 Algorithms", | for the MD5 Message-Digest and the HMAC-MD5 Algorithms", | |||
| 2011. | RFC 6151, March 2011. | |||
| [RFC6379] Law, L. and J. Solinas, "Suite B Cryptographic Suites for | [RFC6379] Law, L. and J. Solinas, "Suite B Cryptographic Suites for | |||
| IPsec", 2011. | IPsec", RFC 6379, October 2011. | |||
| [V02] Vaudenay, S., "Security Flaws Induced by CBC Padding - | [V02] Vaudenay, S., "Security Flaws Induced by CBC Padding - | |||
| Applications to SSL, IPSEC, WTLS ... (EUROCRYPT)", 2002. | Applications to SSL, IPSEC, WTLS ... (EUROCRYPT)", 2002. | |||
| [draft-mcgrew-ipsec-me-esp-ah-reqts] | ||||
| McGrew, D., "Cryptographic Algorithm Implementation | ||||
| Requirements and Usage Guidance for Encapsulating Security | ||||
| Payload (ESP) and Authentication Header (AH)", 2012. | ||||
| [draft-mcgrew-standby-cipher] | ||||
| McGrew, D., Grieco, A., and Y. Sheffer, "Selection of | ||||
| Future Cryptographic Standards", 2013. | ||||
| Authors' Addresses | Authors' Addresses | |||
| David McGrew | David McGrew | |||
| Cisco Systems | Cisco Systems | |||
| 13600 Dulles Technology Drive | 13600 Dulles Technology Drive | |||
| Herndon, Virginia 20171 | Herndon, Virginia 20171 | |||
| USA | USA | |||
| Phone: 408 525 8651 | Phone: 408 525 8651 | |||
| Email: mcgrew@cisco.com | Email: mcgrew@cisco.com | |||
| Wajdi Feghali | Wajdi Feghali | |||
| Intel Corp. | Intel Corp. | |||
| 75 Reed Road | 75 Reed Road | |||
| Hudson, Massachusetts | Hudson, Massachusetts | |||
| USA | USA | |||
| Phone: | ||||
| Email: wajdi.k.feghali@intel.com | Email: wajdi.k.feghali@intel.com | |||
| Paul Hoffman | ||||
| VPN Consortium | ||||
| Email: paul.hoffman@vpnc.org | ||||
| End of changes. 42 change blocks. | ||||
| 122 lines changed or deleted | 101 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||