| < draft-mattsson-tls-ecdhe-psk-aead-04.txt | draft-mattsson-tls-ecdhe-psk-aead-05.txt > | |||
|---|---|---|---|---|
| Network Working Group J. Mattsson | Network Working Group J. Mattsson | |||
| Internet-Draft D. Migault | Internet-Draft D. Migault | |||
| Intended status: Standards Track Ericsson | Intended status: Standards Track Ericsson | |||
| Expires: October 9, 2016 April 7, 2016 | Expires: October 20, 2016 April 18, 2016 | |||
| ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites | ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites | |||
| for Transport Layer Security (TLS) | for Transport Layer Security (TLS) | |||
| draft-mattsson-tls-ecdhe-psk-aead-04 | draft-mattsson-tls-ecdhe-psk-aead-05 | |||
| Abstract | Abstract | |||
| This document defines several new cipher suites for the Transport | This document defines several new cipher suites for the Transport | |||
| Layer Security (TLS) protocol. The cipher suites are all based on | Layer Security (TLS) protocol. The cipher suites are all based on | |||
| the Ephemeral Elliptic Curve Diffie-Hellman with Pre-Shared Key | the Ephemeral Elliptic Curve Diffie-Hellman with Pre-Shared Key | |||
| (ECDHE_PSK) key exchange together with the Authenticated Encryption | (ECDHE_PSK) key exchange together with the Authenticated Encryption | |||
| with Associated Data (AEAD) algorithms AES-GCM and AES-CCM. PSK | with Associated Data (AEAD) algorithms AES-GCM and AES-CCM. PSK | |||
| provides light and efficient authentication, ECDHE provides perfect | provides light and efficient authentication, ECDHE provides perfect | |||
| forward secrecy, and AES-GCM and AES-CCM provides encryption and | forward secrecy, and AES-GCM and AES-CCM provides encryption and | |||
| skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on October 9, 2016. | This Internet-Draft will expire on October 20, 2016. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2016 IETF Trust and the persons identified as the | Copyright (c) 2016 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 16 ¶ | skipping to change at page 2, line 16 ¶ | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites . . . . . . 3 | 2. ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites . . . . . . 3 | |||
| 3. Applicable TLS Versions . . . . . . . . . . . . . . . . . . . 3 | 3. Applicable TLS Versions . . . . . . . . . . . . . . . . . . . 3 | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 4 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 4 | |||
| 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4 | 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . 5 | 7.1. Normative References . . . . . . . . . . . . . . . . . . 5 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . 6 | 7.2. Informative References . . . . . . . . . . . . . . . . . 6 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 1. Introduction | 1. Introduction | |||
| This document defines new cipher suites that provide Pre-Shared Key | This document defines new cipher suites that provide Pre-Shared Key | |||
| (PSK) authentication, Perfect Forward Secrecy (PFS), and | (PSK) authentication, Perfect Forward Secrecy (PFS), and | |||
| Authenticated Encryption with Associated Data (AEAD). The cipher | Authenticated Encryption with Associated Data (AEAD). The cipher | |||
| skipping to change at page 3, line 20 ¶ | skipping to change at page 3, line 20 ¶ | |||
| authentication. [RFC5487] describes the use of AES-GCM in | authentication. [RFC5487] describes the use of AES-GCM in | |||
| combination with PSK authentication, but does not consider ECDHE. | combination with PSK authentication, but does not consider ECDHE. | |||
| [RFC5489] describes the use of PSK in combination with ECDHE but does | [RFC5489] describes the use of PSK in combination with ECDHE but does | |||
| not consider AES-GCM or AES-CCM. | not consider AES-GCM or AES-CCM. | |||
| 2. ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites | 2. ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites | |||
| The cipher suites defined in this document are based on the AES-GCM | The cipher suites defined in this document are based on the AES-GCM | |||
| and AES-CCM Authenticated Encryption with Associated Data (AEAD) | and AES-CCM Authenticated Encryption with Associated Data (AEAD) | |||
| algorithms AEAD_AES_128_GCM, AEAD_AES_256_GCM, AEAD_AES_128_CCM, and | algorithms AEAD_AES_128_GCM, AEAD_AES_256_GCM, AEAD_AES_128_CCM, and | |||
| AEAD_AES_256_CCM defined in [RFC5116], and AEAD_AES_128_CCM_8 defined | AEAD_AES_256_CCM defined in [RFC5116], AEAD_AES_128_CCM_8 and | |||
| in [RFC6655]. The following cipher suites are defined: | AEAD_AES_256_CCM_8 defined in [RFC6655]. The following cipher suites | |||
| are defined: | ||||
| TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 = {0xD0,0x01}; | TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 = {0xTBD,0xTBD}; | |||
| TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 = {0xD0,0x02}; | TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 = {0xTBD,0xTBD}; | |||
| TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 = {0xD0,0x03}; | TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 = {0xTBD,0xTBD}; | |||
| TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 = {0xD0,0x04}; | TLS_ECDHE_PSK_WITH_AES_256_CCM_8_SHA256 = {0xTBD,0xTBD}; | |||
| TLS_ECDHE_PSK_WITH_AES_256_CCM_SHA384 = {0xD0,0x05}; | TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 = {0xTBD,0xTBD}; | |||
| TLS_ECDHE_PSK_WITH_AES_256_CCM_SHA384 = {0xTBD,0xTBD}; | ||||
| For the AES-128 cipher suites, the TLS Pseudorandom Function (PRF) | For the AES-128 cipher suites, the TLS Pseudorandom Function (PRF) | |||
| with SHA-256 as the hash function SHALL be used and Clients and | with SHA-256 as the hash function SHALL be used and Clients and | |||
| Servers MUST NOT negotiate curves of less than 255 bits. | Servers MUST NOT negotiate curves of less than 255 bits. | |||
| For the AES-256 cipher suites, the TLS PRF with SHA-384 as the hash | For the AES-256 cipher suites, the TLS PRF with SHA-384 as the hash | |||
| function SHALL be used and Clients and Servers MUST NOT negotiate | function SHALL be used and Clients and Servers MUST NOT negotiate | |||
| curves of less than 384 bits. | curves of less than 384 bits. | |||
| When used in TLS 1.2, the keying material is derived as described in | When used in TLS 1.2, the keying material is derived as described in | |||
| skipping to change at page 4, line 15 ¶ | skipping to change at page 4, line 17 ¶ | |||
| suites in combination with a version of TLS that does not support | suites in combination with a version of TLS that does not support | |||
| AEAD (i.e., TLS 1.1 or earlier) as an error and generate a fatal | AEAD (i.e., TLS 1.1 or earlier) as an error and generate a fatal | |||
| 'illegal_parameter' TLS alert. | 'illegal_parameter' TLS alert. | |||
| 4. IANA Considerations | 4. IANA Considerations | |||
| This document defines the following new cipher suites, whose values | This document defines the following new cipher suites, whose values | |||
| have been assigned in the TLS Cipher Suite Registry defined by | have been assigned in the TLS Cipher Suite Registry defined by | |||
| [RFC5246]. | [RFC5246]. | |||
| TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 = {0xD0,0x01}; | TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 = {0xTBD; 0xTBD} {0xD0,0x01}; | |||
| TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 = {0xD0,0x02}; | TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 = {0xTBD; 0xTBD} {0xD0,0x02}; | |||
| TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 = {0xD0,0x03}; | TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 = {0xTBD; 0xTBD} {0xD0,0x03}; | |||
| TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 = {0xD0,0x04}; | TLS_ECDHE_PSK_WITH_AES_256_CCM_8_SHA256 = {0xTBD; 0xTBD} {0xD0,0x04}; | |||
| TLS_ECDHE_PSK_WITH_AES_256_CCM_SHA384 = {0xD0,0x05}; | TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 = {0xTBD; 0xTBD} {0xD0,0x05}; | |||
| TLS_ECDHE_PSK_WITH_AES_256_CCM_SHA384 = {0xTBD; 0xTBD} {0xD0,0x06}; | ||||
| The cipher suite numbers listed in the second column are numbers used | ||||
| for cipher suite interoperability testing and it's suggested that | ||||
| IANA use these values for assignment. | ||||
| 5. Security Considerations | 5. Security Considerations | |||
| The security considerations in TLS 1.2 [RFC5246], DTLS 1.2 [RFC6347], | The security considerations in TLS 1.2 [RFC5246], DTLS 1.2 [RFC6347], | |||
| TLS 1.3 [I-D.ietf-tls-tls13], ECDHE_PSK [RFC5489], AES-GCM [RFC5288], | TLS 1.3 [I-D.ietf-tls-tls13], ECDHE_PSK [RFC5489], AES-GCM [RFC5288], | |||
| and AES-CCM [RFC6655] apply to this document as well. | and AES-CCM [RFC6655] apply to this document as well. | |||
| All the cipher suites defined in this document provide | All the cipher suites defined in this document provide | |||
| confidentiality, mutual authentication, and perfect forward secrecy. | confidentiality, mutual authentication, and perfect forward secrecy. | |||
| The AES-128 cipher suites provide 128-bit security and the AES-256 | The AES-128 cipher suites provide 128-bit security and the AES-256 | |||
| skipping to change at page 4, line 48 ¶ | skipping to change at page 5, line 8 ¶ | |||
| perform a brute-force attack where the attacker attempts to connect | perform a brute-force attack where the attacker attempts to connect | |||
| to the server and tries different keys. Passive eavesdropping alone | to the server and tries different keys. Passive eavesdropping alone | |||
| is not sufficient. For these reasons the Pre-Shared Keys used for | is not sufficient. For these reasons the Pre-Shared Keys used for | |||
| authentication MUST have a security level equal or higher than the | authentication MUST have a security level equal or higher than the | |||
| cipher suite used, i.e. at least 128-bit for the AES-128 cipher | cipher suite used, i.e. at least 128-bit for the AES-128 cipher | |||
| suites and at least 192-bit for the AES-256 cipher suites. | suites and at least 192-bit for the AES-256 cipher suites. | |||
| 6. Acknowledgements | 6. Acknowledgements | |||
| The authors would like to thank Ilari Liusvaara, Eric Rescorla, Dan | The authors would like to thank Ilari Liusvaara, Eric Rescorla, Dan | |||
| Harkins, and Russ Housley for their valuable comments and feedback. | Harkins, Russ Housley and Sean Turner for their valuable comments and | |||
| feedback. | ||||
| 7. References | 7. References | |||
| 7.1. Normative References | 7.1. Normative References | |||
| [I-D.ietf-tls-tls13] | [I-D.ietf-tls-tls13] | |||
| Rescorla, E., "The Transport Layer Security (TLS) Protocol | Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
| Version 1.3", draft-ietf-tls-tls13-12 (work in progress), | Version 1.3", draft-ietf-tls-tls13-12 (work in progress), | |||
| March 2016. | March 2016. | |||
| End of changes. 8 change blocks. | ||||
| 17 lines changed or deleted | 25 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||