| < draft-ietf-tls-chacha20-poly1305-03.txt | draft-ietf-tls-chacha20-poly1305-04.txt > | |||
|---|---|---|---|---|
| Network Working Group A. Langley | Network Working Group A. Langley | |||
| Internet-Draft W. Chang | Internet-Draft W. Chang | |||
| Updates: 5246, 6347 (if approved) Google Inc | Updates: 5246, 6347 (if approved) Google Inc | |||
| Intended status: Standards Track N. Mavrogiannopoulos | Intended status: Standards Track N. Mavrogiannopoulos | |||
| Expires: June 2, 2016 Red Hat | Expires: June 18, 2016 Red Hat | |||
| J. Strombergson | J. Strombergson | |||
| Secworks Sweden AB | Secworks Sweden AB | |||
| S. Josefsson | S. Josefsson | |||
| SJD AB | SJD AB | |||
| November 30, 2015 | December 16, 2015 | |||
| ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS) | ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS) | |||
| draft-ietf-tls-chacha20-poly1305-03 | draft-ietf-tls-chacha20-poly1305-04 | |||
| Abstract | Abstract | |||
| This document describes the use of the ChaCha stream cipher and | This document describes the use of the ChaCha stream cipher and | |||
| Poly1305 authenticator in the Transport Layer Security (TLS) and | Poly1305 authenticator in the Transport Layer Security (TLS) and | |||
| Datagram Transport Layer Security (DTLS) protocols. | Datagram Transport Layer Security (DTLS) protocols. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on June 2, 2016. | This Internet-Draft will expire on June 18, 2016. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2015 IETF Trust and the persons identified as the | Copyright (c) 2015 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 4, line 5 ¶ | skipping to change at page 4, line 5 ¶ | |||
| The nonce is constructed from the record sequence number and shared | The nonce is constructed from the record sequence number and shared | |||
| secret, both of which are known to the recipient. The advantage is | secret, both of which are known to the recipient. The advantage is | |||
| that no per-record, explicit nonce need be transmitted, which saves | that no per-record, explicit nonce need be transmitted, which saves | |||
| eight bytes per record and prevents implementations from mistakenly | eight bytes per record and prevents implementations from mistakenly | |||
| using a random nonce. Thus, in the terms of [RFC5246], | using a random nonce. Thus, in the terms of [RFC5246], | |||
| SecurityParameters.fixed_iv_length is twelve bytes and | SecurityParameters.fixed_iv_length is twelve bytes and | |||
| SecurityParameters.record_iv_length is zero bytes. | SecurityParameters.record_iv_length is zero bytes. | |||
| The following cipher suites are defined. | The following cipher suites are defined. | |||
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = {0xTBD, 0xTBD} | |||
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} | TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = {0xTBD, 0xTBD} | |||
| TLS_DHE_RSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = {0xTBD, 0xTBD} | |||
| TLS_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} | TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 = {0xTBD, 0xTBD} | |||
| TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} | TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = {0xTBD, 0xTBD} | |||
| TLS_DHE_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} | TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = {0xTBD, 0xTBD} | |||
| TLS_RSA_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} | TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 = {0xTBD, 0xTBD} | |||
| The DHE_RSA, ECDHE_RSA, ECDHE_ECDSA, PSK, ECDHE_PSK, DHE_PSK and | The DHE_RSA, ECDHE_RSA, ECDHE_ECDSA, PSK, ECDHE_PSK, DHE_PSK and | |||
| RSA_PSK key exchanges for these cipher suites are unaltered and thus | RSA_PSK key exchanges for these cipher suites are unaltered and thus | |||
| are performed as defined in [RFC5246], [RFC4492], and [RFC5489]. | are performed as defined in [RFC5246], [RFC4492], and [RFC5489]. | |||
| The pseudorandom function (PRF) for all the cipher suites defined in | The pseudorandom function (PRF) for all the cipher suites defined in | |||
| this document is the TLS PRF with SHA-256 as the hash function. | this document is the TLS PRF with SHA-256 as the hash function. | |||
| 3. IANA Considerations | 3. IANA Considerations | |||
| IANA is requested to add the following entries in the TLS Cipher | IANA is requested to add the following entries in the TLS Cipher | |||
| Suite Registry: | Suite Registry: | |||
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} {0xCC, 0xA8} | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = {0xTBD, 0xTBD} {0xCC, 0xA8} | |||
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} {0xCC, 0xA9} | TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = {0xTBD, 0xTBD} {0xCC, 0xA9} | |||
| TLS_DHE_RSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} {0xCC, 0xAA} | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = {0xTBD, 0xTBD} {0xCC, 0xAA} | |||
| TLS_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} {0xCC, 0xAB} | TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 = {0xTBD, 0xTBD} {0xCC, 0xAB} | |||
| TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} {0xCC, 0xAC} | TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = {0xTBD, 0xTBD} {0xCC, 0xAC} | |||
| TLS_DHE_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} {0xCC, 0xAD} | TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = {0xTBD, 0xTBD} {0xCC, 0xAD} | |||
| TLS_RSA_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} {0xCC, 0xAE} | TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 = {0xTBD, 0xTBD} {0xCC, 0xAE} | |||
| The cipher suite numbers listed in the second column are numbers used | The cipher suite numbers listed in the second column are numbers used | |||
| for cipher suite interoperability testing and it's suggested that | for cipher suite interoperability testing and it's suggested that | |||
| IANA use these values for assignment. | IANA use these values for assignment. | |||
| 4. Security Considerations | 4. Security Considerations | |||
| ChaCha20 follows the same basic principle as Salsa20[SALSA20SPEC], a | ChaCha20 follows the same basic principle as Salsa20[SALSA20SPEC], a | |||
| cipher with significant security review [SALSA20-SECURITY][ESTREAM]. | cipher with significant security review [SALSA20-SECURITY][ESTREAM]. | |||
| At the time of writing this document, there are no known significant | At the time of writing this document, there are no known significant | |||
| End of changes. 8 change blocks. | ||||
| 18 lines changed or deleted | 18 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||