| < draft-ietf-tls-ecdhe-psk-04.txt | draft-ietf-tls-ecdhe-psk-05.txt > | |||
|---|---|---|---|---|
| TLS Working Group Mohamad Badra | TLS Working Group Mohamad Badra | |||
| Internet Draft LIMOS Laboratory | Internet Draft LIMOS Laboratory | |||
| Intended status: Informational October 17, 2008 | Intended status: Informational November 1, 2008 | |||
| Expires: April 2009 | Expires: May 2009 | |||
| ECDHE_PSK Ciphersuites for Transport Layer Security (TLS) | ECDHE_PSK Ciphersuites for Transport Layer Security (TLS) | |||
| draft-ietf-tls-ecdhe-psk-04.txt | draft-ietf-tls-ecdhe-psk-05.txt | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 33 ¶ | skipping to change at page 1, line 33 ¶ | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt | http://www.ietf.org/ietf/1id-abstracts.txt | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html | http://www.ietf.org/shadow.html | |||
| This Internet-Draft will expire on April 17, 2009. | This Internet-Draft will expire on May 1, 2009. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The IETF Trust (2008). | Copyright (C) The IETF Trust (2008). | |||
| Abstract | Abstract | |||
| This document extends RFC 4279, RFC 4492 and RFC 4785, and specifies | This document extends RFC 4279, RFC 4492 and RFC 4785, and specifies | |||
| a set of ciphersuites that use a pre-shared key (PSK) to authenticate | a set of cipher suites that use a pre-shared key (PSK) to | |||
| an Elliptic Curve Diffie-Hellman exchange (ECDH). These ciphersuites | authenticate an Elliptic Curve Diffie-Hellman exchange (ECDH). These | |||
| provide Perfect Forward Secrecy (PFS). | cipher suites provide Perfect Forward Secrecy (PFS). | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction...................................................3 | 1. Introduction...................................................3 | |||
| 1.1. Applicability Statement...................................3 | 1.1. Applicability Statement...................................3 | |||
| 1.2. Conventions used in this document.........................3 | 1.2. Conventions used in this document.........................3 | |||
| 2. ECDHE_PSK Key Exchange Algorithm...............................3 | 2. ECDHE_PSK Key Exchange Algorithm...............................3 | |||
| 3. ECDHE_PSK Based Cipher Suites..................................5 | 3. ECDHE_PSK Based Cipher Suites..................................4 | |||
| 3.1. ECDHE_PSK Cipher Suites Using the SHA-1 Hash..............5 | 3.1. ECDHE_PSK Cipher Suites Using the SHA-1 Hash..............4 | |||
| 3.2. ECDHE_PSK Cipher Suites Using SHA-2 Hashes................5 | 3.2. ECDHE_PSK Cipher Suites Using SHA-2 Hashes................5 | |||
| 4. ECDHE_PSK Based Cipher Suites with NULL Encryption.............5 | 4. ECDHE_PSK Based Cipher Suites with NULL Encryption.............5 | |||
| 4.1. ECDHE_PSK Cipher Suites Using the SHA-1 Hash with NULL | 4.1. ECDHE_PSK Cipher Suite Using the SHA-1 Hash with NULL | |||
| Encryption.....................................................5 | Encryption.....................................................5 | |||
| 4.2. ECDHE_PSK Cipher Suites Using SHA-2 Hashes with NULL | 4.2. ECDHE_PSK Cipher Suites Using SHA-2 Hashes with NULL | |||
| Encryption.....................................................6 | Encryption.....................................................6 | |||
| 5. Security Considerations........................................6 | 5. Security Considerations........................................6 | |||
| 6. IANA Considerations............................................6 | 6. IANA Considerations............................................6 | |||
| 7. Acknowledgments................................................6 | 7. Acknowledgments................................................7 | |||
| 8. References.....................................................7 | 8. References.....................................................7 | |||
| 8.1. Normative References......................................7 | 8.1. Normative References......................................7 | |||
| Author's Addresses................................................7 | Author's Addresses................................................7 | |||
| Intellectual Property Statement...................................7 | Intellectual Property Statement...................................7 | |||
| Disclaimer of Validity............................................8 | Disclaimer of Validity............................................8 | |||
| 1. Introduction | 1. Introduction | |||
| RFC 4279 specifies cipher suites for supporting TLS using pre-shared | RFC 4279 specifies cipher suites for supporting TLS using pre-shared | |||
| symmetric keys which (a) use only symmetric key operations for | symmetric keys which (a) use only symmetric key operations for | |||
| skipping to change at page 3, line 27 ¶ | skipping to change at page 3, line 27 ¶ | |||
| RFC 4492 defines a set of ECC-based cipher suites for TLS and | RFC 4492 defines a set of ECC-based cipher suites for TLS and | |||
| describes the use of ECC certificates for client authentication. In | describes the use of ECC certificates for client authentication. In | |||
| particular, it specifies the use of Elliptic Curve Diffie-Hellman | particular, it specifies the use of Elliptic Curve Diffie-Hellman | |||
| (ECDH) key agreement in a TLS handshake and the use of Elliptic Curve | (ECDH) key agreement in a TLS handshake and the use of Elliptic Curve | |||
| Digital Signature Algorithm (ECDSA) as a new authentication | Digital Signature Algorithm (ECDSA) as a new authentication | |||
| mechanism. | mechanism. | |||
| This document specifies a set of cipher suites that use a PSK to | This document specifies a set of cipher suites that use a PSK to | |||
| authenticate an ECDH exchange. These cipher suites provide Perfect | authenticate an ECDH exchange. These cipher suites provide Perfect | |||
| Forward Secrecy. One of these ciphersuites provides authentication- | Forward Secrecy. One of these cipher suites provides authentication- | |||
| only. | only. | |||
| The reader is expected to become familiar with RFC 4279, RFC 4492, | The reader is expected to become familiar with RFC 4279, RFC 4492, | |||
| and RFC 4785 prior to studying this document. | and RFC 4785 prior to studying this document. | |||
| 1.1. Applicability Statement | 1.1. Applicability Statement | |||
| The ciphersuites defined in Sections 3.1 and 4.1 can be negotiated, | The cipher suites defined in this document can be negotiated, | |||
| whatever the negotiated TLS version is. | whatever the negotiated TLS version is. | |||
| The ciphersuites defined in Sections 3.2 and 4.2 can be negotiated in | ||||
| TLS version 1.2 or higher. | ||||
| 1.2. Conventions used in this document | 1.2. Conventions used in this document | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| 2. ECDHE_PSK Key Exchange Algorithm | 2. ECDHE_PSK Key Exchange Algorithm | |||
| The ciphersuites described in this document make use of the EC | The cipher suites described in this document make use of the EC | |||
| parameter negotiation mechanism defined in RFC 4492. When the | parameter negotiation mechanism defined in RFC 4492. When the cipher | |||
| ciphersuites defined in this document are used, the | suites defined in this document are used, the 'ec_diffie_hellman_psk' | |||
| 'ec_diffie_hellman_psk' case inside the ServerKeyExchange and | case inside the ServerKeyExchange and ClientKeyExchange structure | |||
| ClientKeyExchange structure MUST be used instead of the 'psk' case | MUST be used instead of the 'psk' case defined in [RFC4279] (i.e., | |||
| defined in [RFC4279] (i.e., the ServerKeyExchange and | the ServerKeyExchange and ClientKeyExchange messages include the | |||
| ClientKeyExchange messages include the Diffie-Hellman parameters). | Diffie-Hellman parameters). The PSK identity and identity hint | |||
| The PSK identity and identity hint fields have the same meaning and | fields have the same meaning and encoding as specified in [RFC4279] | |||
| encoding as specified in [RFC4279] (note that the ServerKeyExchange | (note that the ServerKeyExchange message is always sent, even if no | |||
| message is always sent, even if no PSK identity hint is provided). | PSK identity hint is provided). | |||
| The format of the ServerKeyExchange and ClientKeyExchange messages is | The format of the ServerKeyExchange and ClientKeyExchange messages is | |||
| shown below. | shown below. | |||
| struct { | struct { | |||
| select (KeyExchangeAlgorithm) { | select (KeyExchangeAlgorithm) { | |||
| /* other cases for rsa, diffie_hellman, etc. */ | /* other cases for rsa, diffie_hellman, etc. */ | |||
| case ec_diffie_hellman_psk: /* NEW */ | case ec_diffie_hellman_psk: /* NEW */ | |||
| opaque psk_identity_hint<0..2^16-1>; | opaque psk_identity_hint<0..2^16-1>; | |||
| ServerECDHParams params; | ServerECDHParams params; | |||
| skipping to change at page 5, line 16 ¶ | skipping to change at page 5, line 9 ¶ | |||
| 3.1. ECDHE_PSK Cipher Suites Using the SHA-1 Hash | 3.1. ECDHE_PSK Cipher Suites Using the SHA-1 Hash | |||
| CipherSuite TLS_ECDHE_PSK_WITH_RC4_128_SHA = {0xXX,0xXX}; | CipherSuite TLS_ECDHE_PSK_WITH_RC4_128_SHA = {0xXX,0xXX}; | |||
| CipherSuite TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA = {0xXX,0xXX}; | CipherSuite TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA = {0xXX,0xXX}; | |||
| CipherSuite TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA = {0xXX,0xXX}; | CipherSuite TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA = {0xXX,0xXX}; | |||
| CipherSuite TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA = {0xXX,0xXX}; | CipherSuite TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA = {0xXX,0xXX}; | |||
| The above four cipher suites match the cipher suites defined in | The above four cipher suites match the cipher suites defined in | |||
| [RFC4279], except that they use an Elliptic Curve Diffie-Hellman | [RFC4279], except that they use an Elliptic Curve Diffie-Hellman | |||
| exchange [RFC4492] authenticated with a PSK and that: | exchange [RFC4492] authenticated with a PSK, and that: | |||
| o when negotiated in a version of TLS prior to 1.2, they use the | - The MAC is HMAC [RFC2104] with SHA-1 as the hash | |||
| Pseudo Random Function (PRF) from that version; | function. | |||
| o when negotiated in TLS version 1.2, they use the PRF with the | - When negotiated in a version of TLS prior to 1.2, the PRF | |||
| SHA-256 hash function defined in TLS version 1.2. | from that version is used; otherwise the PRF is the TLS | |||
| PRF [RFC5246] with SHA-256 as the hash function. | ||||
| 3.2. ECDHE_PSK Cipher Suites Using SHA-2 Hashes | 3.2. ECDHE_PSK Cipher Suites Using SHA-2 Hashes | |||
| CipherSuite TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 = {0xXX,0xXX}; | CipherSuite TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 = {0xXX,0xXX}; | |||
| CipherSuite TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 = {0xXX,0xXX}; | CipherSuite TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 = {0xXX,0xXX}; | |||
| The above two cipher suites are the same as the corresponding AES | The above two cipher suites are the same as the corresponding AES | |||
| cipher suites in section 3.1 above, except for the hash and PRF | cipher suites in section 3.1 above, except for the hash and PRF | |||
| algorithms, which SHALL be as follows: | algorithms, which SHALL be as follows: | |||
| For TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, the PRF is the TLS PRF | O For the cipher suites TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256: | |||
| [RFC5246] with SHA-256 as the hash function, and the MAC is HMAC | ||||
| [RFC2104] with SHA-256 as the hash function. | ||||
| For TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384, the PRF is the TLS PRF | - The MAC is HMAC [RFC2104] with SHA-256 as the hash | |||
| [RFC5246] with SHA-384 as the hash function, and the MAC is HMAC | function. | |||
| [RFC2104] with SHA-384 as the hash function. | ||||
| - When negotiated in a version of TLS prior to 1.2, the PRF | ||||
| from that version is used; otherwise the PRF is the TLS | ||||
| PRF [RFC5246] with SHA-256 as the hash function. | ||||
| o For the cipher suite TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384: | ||||
| - The MAC is HMAC [RFC2104] with SHA-384 as the hash | ||||
| function. | ||||
| - When negotiated in a version of TLS prior to 1.2, the PRF | ||||
| from that version is used; otherwise the PRF is the TLS | ||||
| PRF [RFC5246] with SHA-384 as the hash function. | ||||
| 4. ECDHE_PSK Based Cipher Suites with NULL Encryption | 4. ECDHE_PSK Based Cipher Suites with NULL Encryption | |||
| 4.1. ECDHE_PSK Cipher Suites Using the SHA-1 Hash with NULL Encryption | 4.1. ECDHE_PSK Cipher Suite Using the SHA-1 Hash with NULL Encryption | |||
| The following cipher suite matches the cipher suites defined in | The following cipher suite matches the cipher suites defined in | |||
| section 3.1, except that we define a suite with null encryption. | section 3.1, except that we define a suite with NULL encryption. | |||
| CipherSuite TLS_ECDHE_PSK_WITH_NULL_SHA = {0xXX,0xXX}; | CipherSuite TLS_ECDHE_PSK_WITH_NULL_SHA = {0xXX,0xXX}; | |||
| 4.2. ECDHE_PSK Cipher Suites Using SHA-2 Hashes with NULL Encryption | 4.2. ECDHE_PSK Cipher Suites Using SHA-2 Hashes with NULL Encryption | |||
| The following two cipher suites are the same as the corresponding | ||||
| cipher suites in section 3.2, but with NULL encryption (instead of | ||||
| AES). | ||||
| CipherSuite TLS_ECDHE_PSK_WITH_NULL_SHA256 = {0xXX,0xXX}; | CipherSuite TLS_ECDHE_PSK_WITH_NULL_SHA256 = {0xXX,0xXX}; | |||
| CipherSuite TLS_ECDHE_PSK_WITH_NULL_SHA384 = {0xXX,0xXX}; | CipherSuite TLS_ECDHE_PSK_WITH_NULL_SHA384 = {0xXX,0xXX}; | |||
| These two cipher suites are the same as the corresponding cipher | ||||
| suites in section 3.2, but with NULL encryption (instead of AES). | ||||
| 5. Security Considerations | 5. Security Considerations | |||
| The security considerations described throughout [RFC5246], | The security considerations described throughout [RFC5246], | |||
| [RFC4785], [RFC4492], and [RFC4279] apply here as well. In | [RFC4785], [RFC4492], and [RFC4279] apply here as well. In | |||
| particular, as authentication-only cipher suites (with no encryption) | particular, as authentication-only cipher suites (with no encryption) | |||
| defined here do not support confidentiality, care should be taken not | defined here do not support confidentiality, care should be taken not | |||
| to send sensitive information (such as passwords) over connections | to send sensitive information (such as passwords) over connections | |||
| protected with one of the cipher suites with NULL encryption defined | protected with one of the cipher suites with NULL encryption defined | |||
| in this document. | in this document. | |||
| skipping to change at page 7, line 12 ¶ | skipping to change at page 7, line 17 ¶ | |||
| The author appreciates Alfred Hoenes for his detailed review and | The author appreciates Alfred Hoenes for his detailed review and | |||
| effort on issues resolving discussion. The author would like to | effort on issues resolving discussion. The author would like to | |||
| acknowledge Bodo Moeller, Simon Josefsson, Uri Blumenthal, Pasi | acknowledge Bodo Moeller, Simon Josefsson, Uri Blumenthal, Pasi | |||
| Eronen, Paul Hoffman, Joseph Salowey, Mark Tillinghast, and the TLS | Eronen, Paul Hoffman, Joseph Salowey, Mark Tillinghast, and the TLS | |||
| mailing list members for their comments on the document. | mailing list members for their comments on the document. | |||
| 8. References | 8. References | |||
| 8.1. Normative References | 8.1. Normative References | |||
| [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed | ||||
| Hashing for Message Authentication", RFC 2104, February | ||||
| 1997. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC4279] Eronen, P. and H. Tschofenig, "Pre-Shared Key Ciphersuites | [RFC4279] Eronen, P. and H. Tschofenig, "Pre-Shared Key Ciphersuites | |||
| for Transport Layer Security (TLS)", RFC 4279, December | for Transport Layer Security (TLS)", RFC 4279, December | |||
| 2005. | 2005. | |||
| [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C. and B. | [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C. and B. | |||
| Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites | Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites | |||
| for Transport Layer Security (TLS)", RFC 4492, May 2006. | for Transport Layer Security (TLS)", RFC 4492, May 2006. | |||
| End of changes. 21 change blocks. | ||||
| 42 lines changed or deleted | 55 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||