| < draft-mattsson-tls-ecdhe-psk-aead-02.txt | draft-mattsson-tls-ecdhe-psk-aead-03.txt > | |||
|---|---|---|---|---|
| Network Working Group J. Mattsson | Network Working Group J. Mattsson | |||
| Internet-Draft D. Migault | Internet-Draft D. Migault | |||
| Intended status: Standards Track Ericsson | Intended status: Standards Track Ericsson | |||
| Expires: January 25, 2016 July 24, 2015 | Expires: June 10, 2016 December 8, 2015 | |||
| ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites | ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites | |||
| for Transport Layer Security (TLS) | for Transport Layer Security (TLS) | |||
| draft-mattsson-tls-ecdhe-psk-aead-02 | draft-mattsson-tls-ecdhe-psk-aead-03 | |||
| Abstract | Abstract | |||
| This memo defines several new cipher suites for the Transport Layer | This document defines several new cipher suites for the Transport | |||
| Security (TLS) protocol. The cipher suites are all based on the | Layer Security (TLS) protocol. The cipher suites are all based on | |||
| Ephemeral Elliptic Curve Diffie-Hellman with Pre-Shared Key | the Ephemeral Elliptic Curve Diffie-Hellman with Pre-Shared Key | |||
| (ECDHE_PSK) key exchange together with the Authenticated Encryption | (ECDHE_PSK) key exchange together with the Authenticated Encryption | |||
| with Associated Data (AEAD) algorithms AES-GCM and AES-CCM. PSK | with Associated Data (AEAD) algorithms AES-GCM and AES-CCM. PSK | |||
| provides light and efficient authentication, ECDHE provides perfect | provides light and efficient authentication, ECDHE provides perfect | |||
| forward secrecy, and AES-GCM and AES-CCM provides encryption and | forward secrecy, and AES-GCM and AES-CCM provides encryption and | |||
| integrity protection. | integrity protection. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 25, 2016. | This Internet-Draft will expire on June 10, 2016. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2015 IETF Trust and the persons identified as the | Copyright (c) 2015 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 14 ¶ | skipping to change at page 2, line 14 ¶ | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites . . . . . . 3 | 2. ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites . . . . . . 3 | |||
| 3. Applicable TLS Versions . . . . . . . . . . . . . . . . . . . 3 | 3. Applicable TLS Versions . . . . . . . . . . . . . . . . . . . 3 | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 4 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 4 | |||
| 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4 | 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . 4 | 7.1. Normative References . . . . . . . . . . . . . . . . . . 5 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . 5 | 7.2. Informative References . . . . . . . . . . . . . . . . . 6 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 1. Introduction | 1. Introduction | |||
| This document defines new cipher suites that provide Pre-Shared Key | This document defines new cipher suites that provide Pre-Shared Key | |||
| (PSK) authentication, Perfect Forward Secrecy (PFS), and | (PSK) authentication, Perfect Forward Secrecy (PFS), and | |||
| Authenticated Encryption with Associated Data (AEAD). | Authenticated Encryption with Associated Data (AEAD). The cipher | |||
| suites are defined for version 1.2 or later of the the Transport | ||||
| Layer Security (TLS) [RFC5246] protocol, as well as version 1.2 or | ||||
| later of the Datagram Transport Layer Security (DTLS) protocol | ||||
| [RFC6347]. | ||||
| Pre-Shared Key (PSK) Authentication is widely used in many scenarios. | Pre-Shared Key (PSK) Authentication is widely used in many scenarios. | |||
| One deployment is 3GPP networks where pre-shared keys are used to | One deployment is 3GPP networks where pre-shared keys are used to | |||
| authenticate both subscriber and network. Another deployment is | authenticate both subscriber and network. Another deployment is | |||
| Internet of Things where PSK authentication is often preferred for | Internet of Things where PSK authentication is often preferred for | |||
| performance and energy efficiency reasons. In both scenarios the | performance and energy efficiency reasons. In both scenarios the | |||
| endpoints are owned/controlled by a party that provisions the pre- | endpoints are owned/controlled by a party that provisions the pre- | |||
| shared keys and makes sure that they provide a high level of entropy. | shared keys and makes sure that they provide a high level of entropy. | |||
| Perfect Forward Secrecy (PFS) is a strongly recommended feature in | Perfect Forward Secrecy (PFS) is a strongly recommended feature in | |||
| security protocol design and can be accomplished by using an | security protocol design and can be accomplished by using an | |||
| ephemeral Diffie-Hellman key exchange method. Ephemeral Elliptic | ephemeral Diffie-Hellman key exchange method. Ephemeral Elliptic | |||
| Curve Diffie-Hellman (ECDHE) provides PFS with excellent performance | Curve Diffie-Hellman (ECDHE) provides PFS with excellent performance | |||
| and small key sizes. ECDHE is mandatory to implement in both HTTP/2 | and small key sizes. ECDHE is mandatory to implement in both HTTP/2 | |||
| [RFC7540] and CoAP [RFC7252]. | [RFC7540] and CoAP [RFC7252]. | |||
| AEAD algorithms that combine encryption and integrity protection are | AEAD algorithms that combine encryption and integrity protection are | |||
| strongly recommended [RFC7525] and non-AEAD algorithms will be | strongly recommended [RFC7525] and non-AEAD algorithms are forbidden | |||
| forbidden to use in future versions of TLS. The AEAD algorithms | to use in TLS 1.3 [I-D.ietf-tls-tls13]. The AEAD algorithms | |||
| considered in this document are AES-GCM and AES-CCM. The use of AES- | considered in this document are AES-GCM and AES-CCM. The use of AES- | |||
| GCM in TLS is defined in [RFC5288] and the use of AES-CCM is defined | GCM in TLS is defined in [RFC5288] and the use of AES-CCM is defined | |||
| in [RFC6655]. | in [RFC6655]. | |||
| [RFC4279] defines Pre-Shared Key (PSK) cipher suites for TLS but does | [RFC4279] defines Pre-Shared Key (PSK) cipher suites for TLS but does | |||
| not consider Elliptic Curve Cryptography. [RFC4492] introduces | not consider Elliptic Curve Cryptography. [RFC4492] introduces | |||
| Elliptic Curve Cryptography for TLS but does not consider PSK | Elliptic Curve Cryptography for TLS but does not consider PSK | |||
| authentication. [RFC5487] describes the use of AES-GCM in | authentication. [RFC5487] describes the use of AES-GCM in | |||
| combination with PSK authentication, but does not consider ECDHE. | combination with PSK authentication, but does not consider ECDHE. | |||
| [RFC5489] describes the use of PSK in combination with ECDHE but does | [RFC5489] describes the use of PSK in combination with ECDHE but does | |||
| skipping to change at page 3, line 32 ¶ | skipping to change at page 3, line 37 ¶ | |||
| TLS_ECDHE_PSK_WITH_AES_256_CCM_SHA384 = {TDB8,TDB9}; | TLS_ECDHE_PSK_WITH_AES_256_CCM_SHA384 = {TDB8,TDB9}; | |||
| For the AES-128 cipher suites, the TLS Pseudorandom Function (PRF) | For the AES-128 cipher suites, the TLS Pseudorandom Function (PRF) | |||
| with SHA-256 as the hash function SHALL be used and Clients and | with SHA-256 as the hash function SHALL be used and Clients and | |||
| Servers MUST NOT negotiate curves of less than 255 bits. | Servers MUST NOT negotiate curves of less than 255 bits. | |||
| For the AES-256 cipher suites, the TLS PRF with SHA-384 as the hash | For the AES-256 cipher suites, the TLS PRF with SHA-384 as the hash | |||
| function SHALL be used and Clients and Servers MUST NOT negotiate | function SHALL be used and Clients and Servers MUST NOT negotiate | |||
| curves of less than 384 bits. | curves of less than 384 bits. | |||
| When used in TLS 1.2, the keying material is derived as described in | ||||
| [RFC5489] and [RFC5246] and nonces are constructed as described in | ||||
| [RFC5288], and [RFC6655]. When used in TLS 1.3, the keying material | ||||
| is derived as described in [I-D.ietf-tls-tls13], and the nonces are | ||||
| constructed as described in [I-D.ietf-tls-tls13]. | ||||
| 3. Applicable TLS Versions | 3. Applicable TLS Versions | |||
| The cipher suites defined in this document make use of the | The cipher suites defined in this document make use of the | |||
| authenticated encryption with additional data (AEAD) defined in TLS | authenticated encryption with additional data (AEAD) defined in TLS | |||
| 1.2 [RFC5246]. Earlier versions of TLS do not have support for AEAD | 1.2 [RFC5246] and DTLS 1.2 [RFC6347]. Earlier versions of TLS do not | |||
| and consequently, these cipher suites MUST NOT be negotiated in TLS | have support for AEAD and consequently, these cipher suites MUST NOT | |||
| versions prior to 1.2. Clients MUST NOT offer these cipher suites if | be negotiated in TLS versions prior to 1.2. Clients MUST NOT offer | |||
| they do not offer TLS 1.2 or later. Servers, which select an earlier | these cipher suites if they do not offer TLS 1.2 or later. Servers, | |||
| version of TLS MUST NOT select one of these cipher suites. A client | which select an earlier version of TLS MUST NOT select one of these | |||
| MUST treat the selection of these cipher suites in combination with a | cipher suites. A client MUST treat the selection of these cipher | |||
| version of TLS that does not support AEAD (i.e., TLS 1.1 or earlier) | suites in combination with a version of TLS that does not support | |||
| as an error and generate a fatal 'illegal_parameter' TLS alert. | AEAD (i.e., TLS 1.1 or earlier) as an error and generate a fatal | |||
| 'illegal_parameter' TLS alert. | ||||
| 4. IANA Considerations | 4. IANA Considerations | |||
| This document defines the following new cipher suites, whose values | This document defines the following new cipher suites, whose values | |||
| have been assigned in the TLS Cipher Suite Registry defined by | have been assigned in the TLS Cipher Suite Registry defined by | |||
| [RFC5246]. | [RFC5246]. | |||
| TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 = {TDB0,TDB1}; | TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 = {TDB0,TDB1}; | |||
| TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 = {TDB2,TDB3}; | TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 = {TDB2,TDB3}; | |||
| TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 = {TDB4,TDB5}; | TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 = {TDB4,TDB5}; | |||
| TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 = {TDB6,TDB7}; | TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 = {TDB6,TDB7}; | |||
| TLS_ECDHE_PSK_WITH_AES_256_CCM_SHA384 = {TDB8,TDB9}; | TLS_ECDHE_PSK_WITH_AES_256_CCM_SHA384 = {TDB8,TDB9}; | |||
| 5. Security Considerations | 5. Security Considerations | |||
| The security considerations in TLS 1.2 [RFC5246], ECDHE_PSK | The security considerations in TLS 1.2 [RFC5246], DTLS 1.2 [RFC6347], | |||
| [RFC5489], AES_GCM [RFC5288], and AES_CCM [RFC6655] apply to this | TLS 1.3 [I-D.ietf-tls-tls13], ECDHE_PSK [RFC5489], AES-GCM [RFC5288], | |||
| document as well. | and AES-CCM [RFC6655] apply to this document as well. | |||
| All the cipher suites defined in this document provide | All the cipher suites defined in this document provide | |||
| confidentiality, mutual authentication, and perfect forward secrecy. | confidentiality, mutual authentication, and perfect forward secrecy. | |||
| The AES-128 cipher suites provide 128-bit security and the AES-256 | The AES-128 cipher suites provide 128-bit security and the AES-256 | |||
| cipher suites provide at least 192-bit security. However, | cipher suites provide at least 192-bit security. However, | |||
| AES_128_CCM_8 only provides 64-bit security against message forgery | AES_128_CCM_8 only provides 64-bit security against message forgery | |||
| and AES_256_GCM and AES_256_CCM only provide 128-bit security against | and AES_256_GCM and AES_256_CCM only provide 128-bit security against | |||
| message forgery. | message forgery. | |||
| Use of Pre-Shared Keys of limited entropy (for example, a PSK that is | Use of Pre-Shared Keys of limited entropy (for example, a PSK that is | |||
| skipping to change at page 4, line 37 ¶ | skipping to change at page 4, line 47 ¶ | |||
| entropy than its length would imply) may allow an active attacker to | entropy than its length would imply) may allow an active attacker to | |||
| perform a brute-force attack where the attacker attempts to connect | perform a brute-force attack where the attacker attempts to connect | |||
| to the server and tries different keys. Passive eavesdropping alone | to the server and tries different keys. Passive eavesdropping alone | |||
| is not sufficient. For these reasons the Pre-Shared Keys used for | is not sufficient. For these reasons the Pre-Shared Keys used for | |||
| authentication MUST have a security level equal or higher than the | authentication MUST have a security level equal or higher than the | |||
| cipher suite used, i.e. at least 128-bit for the AES-128 cipher | cipher suite used, i.e. at least 128-bit for the AES-128 cipher | |||
| suites and at least 192-bit for the AES-256 cipher suites. | suites and at least 192-bit for the AES-256 cipher suites. | |||
| 6. Acknowledgements | 6. Acknowledgements | |||
| The authors would like to thank Ilari Liusvaara, Eric Rescorla, and | The authors would like to thank Ilari Liusvaara, Eric Rescorla, Dan | |||
| Dan Harkins for their valuable comments and feedback. | Harkins, and Russ Housley for their valuable comments and feedback. | |||
| 7. References | 7. References | |||
| 7.1. Normative References | 7.1. Normative References | |||
| [I-D.ietf-tls-tls13] | ||||
| Rescorla, E., "The Transport Layer Security (TLS) Protocol | ||||
| Version 1.3", draft-ietf-tls-tls13-10 (work in progress), | ||||
| October 2015. | ||||
| [RFC4279] Eronen, P., Ed. and H. Tschofenig, Ed., "Pre-Shared Key | [RFC4279] Eronen, P., Ed. and H. Tschofenig, Ed., "Pre-Shared Key | |||
| Ciphersuites for Transport Layer Security (TLS)", | Ciphersuites for Transport Layer Security (TLS)", | |||
| RFC 4279, DOI 10.17487/RFC4279, December 2005, | RFC 4279, DOI 10.17487/RFC4279, December 2005, | |||
| <http://www.rfc-editor.org/info/rfc4279>. | <http://www.rfc-editor.org/info/rfc4279>. | |||
| [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. | [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. | |||
| Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites | Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites | |||
| for Transport Layer Security (TLS)", RFC 4492, | for Transport Layer Security (TLS)", RFC 4492, | |||
| DOI 10.17487/RFC4492, May 2006, | DOI 10.17487/RFC4492, May 2006, | |||
| <http://www.rfc-editor.org/info/rfc4492>. | <http://www.rfc-editor.org/info/rfc4492>. | |||
| skipping to change at page 5, line 30 ¶ | skipping to change at page 5, line 44 ¶ | |||
| [RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois | [RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois | |||
| Counter Mode (GCM) Cipher Suites for TLS", RFC 5288, | Counter Mode (GCM) Cipher Suites for TLS", RFC 5288, | |||
| DOI 10.17487/RFC5288, August 2008, | DOI 10.17487/RFC5288, August 2008, | |||
| <http://www.rfc-editor.org/info/rfc5288>. | <http://www.rfc-editor.org/info/rfc5288>. | |||
| [RFC5489] Badra, M. and I. Hajjeh, "ECDHE_PSK Cipher Suites for | [RFC5489] Badra, M. and I. Hajjeh, "ECDHE_PSK Cipher Suites for | |||
| Transport Layer Security (TLS)", RFC 5489, | Transport Layer Security (TLS)", RFC 5489, | |||
| DOI 10.17487/RFC5489, March 2009, | DOI 10.17487/RFC5489, March 2009, | |||
| <http://www.rfc-editor.org/info/rfc5489>. | <http://www.rfc-editor.org/info/rfc5489>. | |||
| [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer | ||||
| Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, | ||||
| January 2012, <http://www.rfc-editor.org/info/rfc6347>. | ||||
| [RFC6655] McGrew, D. and D. Bailey, "AES-CCM Cipher Suites for | [RFC6655] McGrew, D. and D. Bailey, "AES-CCM Cipher Suites for | |||
| Transport Layer Security (TLS)", RFC 6655, | Transport Layer Security (TLS)", RFC 6655, | |||
| DOI 10.17487/RFC6655, July 2012, | DOI 10.17487/RFC6655, July 2012, | |||
| <http://www.rfc-editor.org/info/rfc6655>. | <http://www.rfc-editor.org/info/rfc6655>. | |||
| 7.2. Informative References | 7.2. Informative References | |||
| [RFC5487] Badra, M., "Pre-Shared Key Cipher Suites for TLS with SHA- | [RFC5487] Badra, M., "Pre-Shared Key Cipher Suites for TLS with SHA- | |||
| 256/384 and AES Galois Counter Mode", RFC 5487, | 256/384 and AES Galois Counter Mode", RFC 5487, | |||
| DOI 10.17487/RFC5487, March 2009, | DOI 10.17487/RFC5487, March 2009, | |||
| skipping to change at page 6, line 17 ¶ | skipping to change at page 6, line 35 ¶ | |||
| DOI 10.17487/RFC7540, May 2015, | DOI 10.17487/RFC7540, May 2015, | |||
| <http://www.rfc-editor.org/info/rfc7540>. | <http://www.rfc-editor.org/info/rfc7540>. | |||
| Authors' Addresses | Authors' Addresses | |||
| John Mattsson | John Mattsson | |||
| Ericsson AB | Ericsson AB | |||
| SE-164 80 Stockholm | SE-164 80 Stockholm | |||
| Sweden | Sweden | |||
| Phone: +46 76 115 35 01 | ||||
| Email: john.mattsson@ericsson.com | Email: john.mattsson@ericsson.com | |||
| Daniel Migault | Daniel Migault | |||
| Ericsson | Ericsson | |||
| 8400 boulevard Decarie | 8400 boulevard Decarie | |||
| Montreal, QC H4P 2N2 | Montreal, QC H4P 2N2 | |||
| Canada | Canada | |||
| Phone: +1 514-452-2160 | Phone: +1 514-452-2160 | |||
| Email: daniel.migault@ericsson.com | Email: daniel.migault@ericsson.com | |||
| End of changes. 15 change blocks. | ||||
| 26 lines changed or deleted | 47 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||