| < draft-mavrogiannopoulos-chacha-tls-01.txt | draft-mavrogiannopoulos-chacha-tls-02.txt > | |||
|---|---|---|---|---|
| Network Working Group A. Langley | Network Working Group A. Langley | |||
| Internet-Draft W. Chang | Internet-Draft W. Chang | |||
| Updates: 5246, 6347 Google Inc | Updates: 5246, 6347 Google Inc | |||
| (if approved) N. Mavrogiannopoulos | (if approved) N. Mavrogiannopoulos | |||
| Intended status: Standards Track Red Hat | Intended status: Standards Track Red Hat | |||
| Expires: July 28, 2014 J. Strombergson | Expires: September 4, 2014 J. Strombergson | |||
| Secworks Sweden AB | Secworks Sweden AB | |||
| S. Josefsson | S. Josefsson | |||
| SJD AB | SJD AB | |||
| January 24, 2014 | March 3, 2014 | |||
| The ChaCha Stream Cipher for Transport Layer Security | The ChaCha Stream Cipher for Transport Layer Security | |||
| draft-mavrogiannopoulos-chacha-tls-01 | draft-mavrogiannopoulos-chacha-tls-02 | |||
| Abstract | Abstract | |||
| This document describes the use of the ChaCha stream cipher with | This document describes the use of the ChaCha stream cipher with | |||
| HMAC-SHA1 and Poly1305 in Transport Layer Security (TLS) and Datagram | HMAC-SHA1 and Poly1305 in Transport Layer Security (TLS) and Datagram | |||
| Transport Layer Security (DTLS) protocols. | Transport Layer Security (DTLS) protocols. | |||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on July 28, 2014. | This Internet-Draft will expire on September 4, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. The ChaCha Cipher . . . . . . . . . . . . . . . . . . . . . . 4 | 2. The ChaCha Cipher . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. The Poly1305 Authenticator . . . . . . . . . . . . . . . . . . 6 | 3. The Poly1305 Authenticator . . . . . . . . . . . . . . . . . . 5 | |||
| 4. ChaCha20 Cipher Suites . . . . . . . . . . . . . . . . . . . . 7 | 4. ChaCha20 Cipher Suites . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4.1. ChaCha20 Cipher Suites with HMAC-SHA1 . . . . . . . . . . 7 | 4.1. ChaCha20 Cipher Suites with HMAC-SHA1 . . . . . . . . . . 6 | |||
| 4.2. ChaCha20 Cipher Suites with Poly1305 . . . . . . . . . . . 7 | 4.2. ChaCha20 Cipher Suites with Poly1305 . . . . . . . . . . . 7 | |||
| 5. Updates to the TLS Standard Stream Cipher . . . . . . . . . . 10 | 5. Updates to the TLS Standard Stream Cipher . . . . . . . . . . 8 | |||
| 6. Updates to DTLS . . . . . . . . . . . . . . . . . . . . . . . 11 | 6. Updates to DTLS . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 12 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 9. Security Considerations . . . . . . . . . . . . . . . . . . . 14 | 9. Security Considerations . . . . . . . . . . . . . . . . . . . 12 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . . 15 | 10.1. Normative References . . . . . . . . . . . . . . . . . . . 13 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . . 15 | 10.2. Informative References . . . . . . . . . . . . . . . . . . 13 | |||
| Appendix A. Test vectors . . . . . . . . . . . . . . . . . . . . 17 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| A.1. ChaCha20 . . . . . . . . . . . . . . . . . . . . . . . . . 17 | ||||
| A.2. Poly1305 . . . . . . . . . . . . . . . . . . . . . . . . . 18 | ||||
| A.3. AEAD_CHACHA20_POLY1305 . . . . . . . . . . . . . . . . . . 18 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20 | ||||
| 1. Introduction | 1. Introduction | |||
| This document describes the use of the ChaCha stream cipher in the | This document describes the use of the ChaCha stream cipher in the | |||
| Transport Layer Security (TLS) version 1.0 [RFC2246], TLS version 1.1 | Transport Layer Security (TLS) version 1.0 [RFC2246], TLS version 1.1 | |||
| [RFC4346], and TLS version 1.2 [RFC5246] protocols, as well as in the | [RFC4346], and TLS version 1.2 [RFC5246] protocols, as well as in the | |||
| Datagram Transport Layer Security (DTLS) versions 1.0 [RFC4347] and | Datagram Transport Layer Security (DTLS) versions 1.0 [RFC4347] and | |||
| 1.2 [RFC6347]. It can also be used with Secure Sockets Layer (SSL) | 1.2 [RFC6347]. It can also be used with Secure Sockets Layer (SSL) | |||
| version 3.0 [RFC6101]. | version 3.0 [RFC6101]. | |||
| skipping to change at page 4, line 11 ¶ | skipping to change at page 4, line 11 ¶ | |||
| comparable to RC4 in speed on a wide range of platforms and can be | comparable to RC4 in speed on a wide range of platforms and can be | |||
| implemented easily without being vulnerable to software side-channel | implemented easily without being vulnerable to software side-channel | |||
| attacks. | attacks. | |||
| 2. The ChaCha Cipher | 2. The ChaCha Cipher | |||
| ChaCha [CHACHA] is a stream cipher developed by D. J. Bernstein in | ChaCha [CHACHA] is a stream cipher developed by D. J. Bernstein in | |||
| 2008. It is a refinement of Salsa20 and was used as the core of the | 2008. It is a refinement of Salsa20 and was used as the core of the | |||
| SHA-3 finalist, BLAKE. | SHA-3 finalist, BLAKE. | |||
| The variant of ChaCha used in this document is ChaCha with 20 rounds | The variant of ChaCha used in this document is ChaCha with 20 rounds, | |||
| and a 256 bit key, which will be referred to as ChaCha20 in the rest | a 96-bit nonce and a 256 bit key, which will be referred to as | |||
| of this document. This is the conservative variant (with respect to | ChaCha20 in the rest of this document. This is the conservative | |||
| security) of the ChaCha family. | variant (with respect to security) of the ChaCha family and is | |||
| described in [I-D.nir-cfrg-chacha20-poly1305]. | ||||
| ChaCha maps 16, 32-bit input words to 16, 32-bit output words. By | ||||
| convention, 8 of the input words consist of a 256-bit key, 4 are | ||||
| constants and the remaining four are a nonce and block counter. The | ||||
| output words are converted to bytes and XORed with the plaintext to | ||||
| produce ciphertext. In order to generate sufficient output bytes to | ||||
| XOR with the whole plaintext, the block counter is incremented and | ||||
| ChaCha is run again, as many times as needed, for up to 2^70 bytes of | ||||
| output. | ||||
| ChaCha operates on a state of 16, 32-bit words which are initialised | ||||
| from the input words. The first four input words are constants: | ||||
| (0x61707865, 0x3320646e, 0x79622d32, 0x6b206574) | ||||
| Input words 4 through 11 are taken from the 256-bit key by reading | ||||
| the bytes in little-endian order, in 4-byte chunks. Input words 12 | ||||
| and 13 are a block counter, with word 12 overflowing into word 13. | ||||
| Lastly, words 14 and 15 are taken from an 8-byte nonce, again by | ||||
| reading the bytes in little-endian order, in 4-byte chunks. The | ||||
| block counter words are initially zero. | ||||
| ChaCha20 consists of 20 rounds, alternating between "column" rounds | ||||
| and "diagonal" rounds. Each round applies the following "quarter- | ||||
| round" function four times, to a different set of words each time. | ||||
| The quarter-round function updates 4, 32-bit words (a, b, c, d) as | ||||
| follows, where <<< is a bitwise, left rotation: | ||||
| a += b; d ^= a; d <<<= 16; | ||||
| c += d; b ^= c; b <<<= 12; | ||||
| a += b; d ^= a; d <<<= 8; | ||||
| c += d; b ^= c; b <<<= 7; | ||||
| The 16 words are conceptually arranged in a four by four grid with | ||||
| the first word in the top-left position and the fourth word in the | ||||
| top-right position. The "column" rounds then apply the quarter-round | ||||
| function to the four columns, from left to right. The "diagonal" | ||||
| rounds apply the quarter-round to the top-left, bottom-right | ||||
| diagonal, followed by the pattern shifted one place to the right, for | ||||
| three more quarter-rounds. | ||||
| Specifically, a column round applies the quarter-round function to | ||||
| the following indexes: (0, 4, 8, 12), (1, 5, 9, 13), (2, 6, 10, 14), | ||||
| (3, 7, 11, 15). A diagonal round applies it to these indexes: (0, 5, | ||||
| 10, 15), (1, 6, 11, 12), (2, 7, 8, 13), (3, 4, 9, 14). | ||||
| After 20 rounds of the above processing, the original 16 input words | ||||
| are added to the 16 words to form the 16 output words. | ||||
| The 64 output bytes are generated from the 16 output words by | ||||
| serializing them in little-endian order and concatenating the | ||||
| results. | ||||
| Test vectors for this cipher can be found in Appendix A.1. | ||||
| 3. The Poly1305 Authenticator | 3. The Poly1305 Authenticator | |||
| Poly1305 [POLY1305] is a Wegman-Carter, one-time authenticator | Poly1305 [POLY1305] is a Wegman-Carter, one-time authenticator | |||
| designed by D. J. Bernstein. Poly1305 takes a 32-byte, one-time key | designed by D. J. Bernstein. Poly1305 takes a 32-byte, one-time key | |||
| and a message and produces a 16-byte tag that authenticates the | and a message and produces a 16-byte tag that authenticates the | |||
| message such that an attacker has a negligible chance of producing a | message such that an attacker has a negligible chance of producing a | |||
| valid tag for an inauthentic message. | valid tag for an inauthentic message. It is described in | |||
| [I-D.nir-cfrg-chacha20-poly1305]. | ||||
| The first 16 bytes of the one-time key form an integer, _r_, as | ||||
| follows: the top four bits of the bytes at indexes 3, 7, 11 and 15 | ||||
| are cleared, the bottom 2 bits of the bytes at indexes 4, 8 and 12 | ||||
| are cleared and the 16 bytes are taken as a little-endian value. | ||||
| An accumulator is set to zero. For each chunk of 16 bytes from the | ||||
| input message, a byte with value 1 is appended and the 17 bytes are | ||||
| treated as a little-endian number. If the last chunk has less than | ||||
| 16 bytes then zero bytes are appended after the 1 byte is appended | ||||
| until there are 17 bytes. The value is added to the accumulator and | ||||
| then the accumulator is multiplied by _r_, all mod 2^130 - 5. | ||||
| Finally the last 16 bytes of the one-time key are treated as a | ||||
| little-endian number and added to the accumulator, mod 2^128. The | ||||
| result is serialised as a little-endian number, producing the 16 byte | ||||
| tag. Note that the original specification of Poly1305 used a | ||||
| different construction with AES to generate the constant term of the | ||||
| polynomial from a counter nonce. For a more recent treatment that | ||||
| avoids the use of a block cipher in this fashion, as is done here, | ||||
| see section 9 of the NaCl specification [NACLCRYPTO]. | ||||
| Test vectors for this authenticator can be found in Appendix A.2. | ||||
| 4. ChaCha20 Cipher Suites | 4. ChaCha20 Cipher Suites | |||
| In the next sections different ciphersuites are defined that utilize | In the next sections different ciphersuites are defined that utilize | |||
| the ChaCha20 cipher combined with various message authentication | the ChaCha20 cipher combined with various message authentication | |||
| methods. | methods. | |||
| In all cases, the pseudorandom function (PRF) for TLS 1.2 is the TLS | In all cases, the ChaCha20 cipher, as in | |||
| PRF with SHA-256 as the hash function. When used with TLS versions | [I-D.nir-cfrg-chacha20-poly1305], uses a 96-bit nonce. That nonce is | |||
| prior to 1.2, the PRF is calculated as specified in the appropriate | updated on the encryption of every TLS record, and is formed as | |||
| version of the TLS specification. | follows. | |||
| struct { | ||||
| opaque salt[4]; | ||||
| opaque record_counter[8]; | ||||
| } ChaChaNonce; | ||||
| The salt is generated as part of the handshake process. It is either | ||||
| the client_write_IV (when the client is sending) or the | ||||
| server_write_IV (when the server is sending). The salt length | ||||
| (SecurityParameters.fixed_iv_length) is 4 bytes. The record_counter | ||||
| is the 64-bit TLS record sequence number. In case of DTLS the | ||||
| record_counter is formed as the concatenation of the 16-bit epoch | ||||
| with the 48-bit sequence number. | ||||
| In both TLS and DTLS the ChaChaNonce is implicit and not sent as part | ||||
| of the packet. | ||||
| The pseudorandom function (PRF) for TLS 1.2 is the TLS PRF with SHA- | ||||
| 256 as the hash function. When used with TLS versions prior to 1.2, | ||||
| the PRF is calculated as specified in the appropriate version of the | ||||
| TLS specification. | ||||
| The RSA, DHE_RSA, ECDHE_RSA, ECDHE_ECDSA, PSK, DHE_PSK, RSA_PSK, | The RSA, DHE_RSA, ECDHE_RSA, ECDHE_ECDSA, PSK, DHE_PSK, RSA_PSK, | |||
| ECDHE_PSK key exchanges are performed as defined in [RFC5246], | ECDHE_PSK key exchanges are performed as defined in [RFC5246], | |||
| [RFC4492], and [RFC5489]. | [RFC4492], and [RFC5489]. | |||
| 4.1. ChaCha20 Cipher Suites with HMAC-SHA1 | 4.1. ChaCha20 Cipher Suites with HMAC-SHA1 | |||
| The following CipherSuites are defined. | The following CipherSuites are defined. | |||
| TLS_RSA_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} {0xCC, 0x20} | TLS_RSA_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} | |||
| TLS_ECDHE_RSA_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} {0xCC, 0x21} | TLS_ECDHE_RSA_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} | |||
| TLS_ECDHE_ECDSA_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} {0xCC, 0x22} | TLS_ECDHE_ECDSA_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} | |||
| TLS_DHE_RSA_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} {0xCC, 0x23} | ||||
| TLS_DHE_PSK_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} {0xCC, 0x24} | ||||
| TLS_PSK_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} {0xCC, 0x25} | TLS_DHE_RSA_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} | |||
| TLS_ECDHE_PSK_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} {0xCC, 0x26} | TLS_DHE_PSK_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} | |||
| TLS_RSA_PSK_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} {0xCC, 0x27} | ||||
| Note that ChaCha20 requires a 64-bit nonce. That nonce is updated on | TLS_PSK_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} | |||
| the encryption of every TLS record, and is set to be the 64-bit TLS | TLS_ECDHE_PSK_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} | |||
| record sequence number. In case of DTLS the 64-bit nonce is formed | TLS_RSA_PSK_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} | |||
| as the concatenation of the 16-bit epoch with the 48-bit sequence | ||||
| number. | ||||
| The MAC algorithm used in the ciphersuites above is HMAC-SHA1 | The MAC algorithm used in the ciphersuites above is HMAC-SHA1 | |||
| [RFC6234]. | [RFC6234]. | |||
| 4.2. ChaCha20 Cipher Suites with Poly1305 | 4.2. ChaCha20 Cipher Suites with Poly1305 | |||
| The ChaCha20 and Poly1305 primitives are built into an AEAD algorithm | The ChaCha20 and Poly1305 primitives are built into an AEAD algorithm | |||
| [RFC5116], AEAD_CHACHA20_POLY1305, that takes a 32 byte key and 8 | [RFC5116], AEAD_CHACHA20_POLY1305, described in | |||
| byte nonce as follows. | [I-D.nir-cfrg-chacha20-poly1305]. It takes as input a 256-bit key | |||
| and a 96-bit nonce. | ||||
| ChaCha20 is run with the given key and nonce and with the two counter | ||||
| words set to zero. The first 32 bytes of the 64 byte output are | ||||
| saved to become the one-time key for Poly1305. The remainder of the | ||||
| output is discarded. The first counter input word is set to one and | ||||
| the plaintext is encrypted by XORing it with the output of | ||||
| invocations of the ChaCha20 function as needed, incrementing the | ||||
| first counter word after each block and overflowing into the second. | ||||
| The limits on the TLS plaintext size mean that the first counter word | ||||
| will never overflow in practice. | ||||
| The reason for generating the Poly1305 key like this rather than | ||||
| using key material from the handshake is that handshake key material | ||||
| is per-session, but for a polynomial MAC, a unique, secret key is | ||||
| needed per-record. | ||||
| The Poly1305 key is used to calculate a tag for the following input: | ||||
| the concatenation of the additional data, the number of bytes of | ||||
| additional data, the ciphertext and the number of bytes of | ||||
| ciphertext. Numbers are represented as 8-byte, little-endian values. | ||||
| The resulting tag is appended to the ciphertext, resulting in the | ||||
| output of the AEAD operation. | ||||
| Authenticated decryption is largely the reverse of the encryption | ||||
| process: generate one block of ChaCha20 keystream and use the first | ||||
| 32 bytes as a Poly1305 key. Feed Poly1305 the additional data and | ||||
| ciphertext, with the length suffixing as described above. Verify, in | ||||
| constant time, that the calculated Poly1305 authenticator matches the | ||||
| final 16 bytes of the input. If not, the input can be rejected | ||||
| immediately. Otherwise, run ChaCha20, starting with a counter value | ||||
| of one, to decrypt the ciphertext. | ||||
| When used in TLS, the "record_iv_length" is zero and the nonce is the | ||||
| sequence number for the record, as an 8-byte, big-endian number. The | ||||
| additional data is seq_num + TLSCompressed.type + | ||||
| TLSCompressed.version + TLSCompressed.length, where "+" denotes | ||||
| concatenation. | ||||
| In DTLS, the nonce is formed as the concatenation of the 16-bit epoch | ||||
| with the 48-bit sequence number. | ||||
| In accordance with section 4 of RFC 5116 [RFC5116], the constants for | ||||
| this AEAD algorithm are as follows: K_LEN is 32 bytes, N_MIN and | ||||
| N_MAX are 8 bytes, P_MAX and A_MAX are 2^64, C_MAX is 2^64+16. An | ||||
| AEAD_CHACHA20_POLY1305 ciphertext is exactly 16 octets longer than | ||||
| its corresponding plaintext. | ||||
| Test vectors for this authenticator can be found in Appendix A.3. | When used in TLS, the "record_iv_length" is zero and the nonce is set | |||
| to be the ChaChaNonce. The additional data is seq_num + | ||||
| TLSCompressed.type + TLSCompressed.version + TLSCompressed.length, | ||||
| where "+" denotes concatenation. | ||||
| The following CipherSuites are defined. | The following CipherSuites are defined. | |||
| TLS_RSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} {0xCC, 0x12} | TLS_RSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} | |||
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} {0xCC, 0x13} | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} | |||
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} {0xCC, 0x14} | TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} | |||
| TLS_DHE_RSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} {0xCC, 0x15} | TLS_DHE_RSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} | |||
| TLS_DHE_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} {0xCC, 0x16} | TLS_DHE_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} | |||
| TLS_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} {0xCC, 0x17} | TLS_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} | |||
| TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} {0xCC, 0x18} | TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} | |||
| TLS_RSA_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} {0xCC, 0x19} | TLS_RSA_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} | |||
| 5. Updates to the TLS Standard Stream Cipher | 5. Updates to the TLS Standard Stream Cipher | |||
| The ChaCha20 ciphersuites with HMAC-SHA1 defined in this document | The ChaCha20 ciphersuites with HMAC-SHA1 defined in this document | |||
| differ from the TLS RC4 ciphersuites that have been the basis for the | differ from the TLS RC4 ciphersuites that have been the basis for the | |||
| definition of Standard Stream Cipher. Unlike RC4, ChaCha20 requires | definition of Standard Stream Cipher. Unlike RC4, ChaCha20 requires | |||
| a nonce per record. This however, does not affect the description of | a nonce per record. This however, does not affect the description of | |||
| the Standard Stream Cipher if one assumes that a nonce is optional | the Standard Stream Cipher if one assumes that a nonce is optional | |||
| and depends on the cipher's characteristics. | and depends on the cipher's characteristics. | |||
| Hence, this document modifies the Standard Stream Cipher by adding an | Hence, this document modifies the Standard Stream Cipher by adding an | |||
| implicit nonce of 8-bytes, which is set to be the 64-bit TLS record | implicit nonce. The implicit nonce may consist of | |||
| sequence number. If the stream cipher needs more than 8 byte of | ||||
| nonce, it can obtain additional bytes for the implicit nonce from the | o an optional fixed component ("salt"), generated from the | |||
| client_write_iv and server_write_iv of the key_block. | key_block; | |||
| o a variable component, based on the 64-bit TLS record sequence | ||||
| number or the concatenation of the 16-bit epoch with the 48-bit | ||||
| sequence number in case of DTLS. | ||||
| Stream ciphers that don't require a nonce such as RC4 shall ignore | Stream ciphers that don't require a nonce such as RC4 shall ignore | |||
| it. Other stream ciphers that require a nonce, such as ChaCha20 with | it. Other stream ciphers that require a nonce, such as ChaCha20 with | |||
| HMAC-SHA1, will use the nonce and reset their state on each record. | HMAC-SHA1, will use the nonce and reset their state on each record. | |||
| Note that in case of DTLS the 8-byte nonce is formed as the | ||||
| concatenation of the 16-bit epoch with the 48-bit sequence number, | ||||
| which are sent as part of the record. | ||||
| 6. Updates to DTLS | 6. Updates to DTLS | |||
| The DTLS protocol requires the cipher in use to introduce no | The DTLS protocol requires the cipher in use to introduce no | |||
| dependencies between TLS Records to allow lost or rearranged records. | dependencies between TLS Records to allow lost or rearranged records. | |||
| For that it explicitly bans stream ciphers (see Section 3.1 of | For that it explicitly bans stream ciphers (see Section 3.1 of | |||
| [RFC6347]). | [RFC6347]). | |||
| As the stream cipher described in this document, unlike RC4, does not | As the stream cipher described in this document, unlike RC4, does not | |||
| require dependencies between records, this ban of stream ciphers is | require dependencies between records, this ban of stream ciphers is | |||
| lifted with this document. Stream ciphers can be used with DTLS if | lifted with this document. Stream ciphers can be used with DTLS if | |||
| they introduce no dependencies between records. | they introduce no dependencies between records. | |||
| 7. Acknowledgements | 7. Acknowledgements | |||
| The authors would like to thank Zooko Wilcox-OHearn and Samuel Neves. | The authors would like to thank Zooko Wilcox-OHearn and Samuel Neves. | |||
| 8. IANA Considerations | 8. IANA Considerations | |||
| IANA is requested to assign a value for AEAD_CHACHA20_POLY1305 in the | IANA is requested to assign the following Cipher Suites in the TLS | |||
| registry of AEAD algorithms [RFC5116], and also allocate the | Cipher Suite Registry: | |||
| following Cipher Suites in the TLS Cipher Suite Registry (note that | ||||
| the third column contains the suggested ciphersuite numbers): | ||||
| TLS_RSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} {0xCC, 0x12} | TLS_RSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} | |||
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} {0xCC, 0x13} | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} | |||
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} {0xCC, 0x14} | TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} | |||
| TLS_DHE_RSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} {0xCC, 0x15} | TLS_DHE_RSA_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} | |||
| TLS_DHE_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} {0xCC, 0x16} | TLS_DHE_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} | |||
| TLS_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} {0xCC, 0x17} | TLS_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} | |||
| TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} {0xCC, 0x18} | TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} | |||
| TLS_RSA_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} {0xCC, 0x19} | TLS_RSA_PSK_WITH_CHACHA20_POLY1305 = {0xTBD, 0xTBD} | |||
| TLS_RSA_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} {0xCC, 0x20} | TLS_RSA_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} | |||
| TLS_ECDHE_RSA_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} {0xCC, 0x21} | TLS_ECDHE_RSA_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} | |||
| TLS_ECDHE_ECDSA_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} {0xCC, 0x22} | TLS_ECDHE_ECDSA_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} | |||
| TLS_DHE_RSA_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} {0xCC, 0x23} | TLS_DHE_RSA_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} | |||
| TLS_DHE_PSK_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} {0xCC, 0x24} | TLS_DHE_PSK_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} | |||
| TLS_PSK_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} {0xCC, 0x25} | TLS_PSK_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} | |||
| TLS_ECDHE_PSK_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} {0xCC, 0x26} | TLS_ECDHE_PSK_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} | |||
| TLS_RSA_PSK_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} {0xCC, 0x27} | TLS_RSA_PSK_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} | |||
| 9. Security Considerations | 9. Security Considerations | |||
| ChaCha20 follows the same basic principle as Salsa20, a cipher with | ChaCha20 follows the same basic principle as Salsa20, a cipher with | |||
| significant security review [SALSA20-SECURITY][ESTREAM]. At the time | significant security review [SALSA20-SECURITY][ESTREAM]. At the time | |||
| of writing this document, there are no known significant security | of writing this document, there are no known significant security | |||
| problems with either cipher, and ChaCha20 is shown to be more | problems with either cipher, and ChaCha20 is shown to be more | |||
| resistant in certain attacks than Salsa20 [SALSA20-ATTACK]. | resistant in certain attacks than Salsa20 [SALSA20-ATTACK]. | |||
| Furthermore ChaCha20 was used as the core of the BLAKE hash function, | Furthermore ChaCha20 was used as the core of the BLAKE hash function, | |||
| a SHA3 finalist, that had received considerable cryptanalytic | a SHA3 finalist, that had received considerable cryptanalytic | |||
| skipping to change at page 14, line 29 ¶ | skipping to change at page 12, line 29 ¶ | |||
| The cipher suites described in this document require that an nonce is | The cipher suites described in this document require that an nonce is | |||
| never repeated under the same key. The design presented ensures that | never repeated under the same key. The design presented ensures that | |||
| by using the TLS sequence number which is unique and does not wrap | by using the TLS sequence number which is unique and does not wrap | |||
| [RFC5246]. | [RFC5246]. | |||
| This document should not introduce any other security considerations | This document should not introduce any other security considerations | |||
| than those that directly follow from the use of the stream cipher | than those that directly follow from the use of the stream cipher | |||
| ChaCha20, the AEAD_CHACHA20_POLY1305 construction, and those that | ChaCha20, the AEAD_CHACHA20_POLY1305 construction, and those that | |||
| directly follow from introducing any set of stream cipher suites into | directly follow from introducing any set of stream cipher suites into | |||
| TLS and DTLS. | TLS and DTLS (see also the Security Considerations section of | |||
| [I-D.nir-cfrg-chacha20-poly1305]). | ||||
| 10. References | 10. References | |||
| 10.1. Normative References | 10.1. Normative References | |||
| [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", | [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", | |||
| RFC 2246, January 1999. | RFC 2246, January 1999. | |||
| [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security | [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security | |||
| (TLS) Protocol Version 1.1", RFC 4346, April 2006. | (TLS) Protocol Version 1.1", RFC 4346, April 2006. | |||
| [RFC4347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer | [RFC4347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer | |||
| Security", RFC 4347, April 2006. | Security", RFC 4347, April 2006. | |||
| [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. | [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. | |||
| Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites | Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites | |||
| for Transport Layer Security (TLS)", RFC 4492, May 2006. | for Transport Layer Security (TLS)", RFC 4492, May 2006. | |||
| [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated | ||||
| Encryption", RFC 5116, January 2008. | ||||
| [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | |||
| (TLS) Protocol Version 1.2", RFC 5246, August 2008. | (TLS) Protocol Version 1.2", RFC 5246, August 2008. | |||
| [RFC5489] Badra, M. and I. Hajjeh, "ECDHE_PSK Cipher Suites for | [RFC5489] Badra, M. and I. Hajjeh, "ECDHE_PSK Cipher Suites for | |||
| Transport Layer Security (TLS)", RFC 5489, March 2009. | Transport Layer Security (TLS)", RFC 5489, March 2009. | |||
| [RFC6234] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms | [RFC6234] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms | |||
| (SHA and SHA-based HMAC and HKDF)", RFC 6234, May 2011. | (SHA and SHA-based HMAC and HKDF)", RFC 6234, May 2011. | |||
| [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer | [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer | |||
| Security Version 1.2", RFC 6347, January 2012. | Security Version 1.2", RFC 6347, January 2012. | |||
| [I-D.nir-cfrg-chacha20-poly1305] | ||||
| Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF | ||||
| protocols", draft-nir-cfrg-chacha20-poly1305-01 (work in | ||||
| progress), January 2014. | ||||
| 10.2. Informative References | ||||
| [CHACHA] Bernstein, D., "ChaCha, a variant of Salsa20", | [CHACHA] Bernstein, D., "ChaCha, a variant of Salsa20", | |||
| January 2008, | January 2008, | |||
| <http://cr.yp.to/chacha/chacha-20080128.pdf>. | <http://cr.yp.to/chacha/chacha-20080128.pdf>. | |||
| [POLY1305] | [POLY1305] | |||
| Bernstein, D., "The Poly1305-AES message-authentication | Bernstein, D., "The Poly1305-AES message-authentication | |||
| code.", March 2005, | code.", March 2005, | |||
| <http://cr.yp.to/mac/poly1305-20050329.pdf>. | <http://cr.yp.to/mac/poly1305-20050329.pdf>. | |||
| 10.2. Informative References | [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated | |||
| Encryption", RFC 5116, January 2008. | ||||
| [SALSA20SPEC] | [SALSA20SPEC] | |||
| Bernstein, D., "Salsa20 specification", April 2005, | Bernstein, D., "Salsa20 specification", April 2005, | |||
| <http://cr.yp.to/snuffle/spec.pdf>. | <http://cr.yp.to/snuffle/spec.pdf>. | |||
| [RFC6101] Freier, A., Karlton, P., and P. Kocher, "The Secure | [RFC6101] Freier, A., Karlton, P., and P. Kocher, "The Secure | |||
| Sockets Layer (SSL) Protocol Version 3.0", RFC 6101, | Sockets Layer (SSL) Protocol Version 3.0", RFC 6101, | |||
| August 2011. | August 2011. | |||
| [SALSA20-SECURITY] | [SALSA20-SECURITY] | |||
| skipping to change at page 16, line 33 ¶ | skipping to change at page 14, line 39 ¶ | |||
| Isobe, T., Ohigashi, T., Watanabe, Y., and M. Morii, "Full | Isobe, T., Ohigashi, T., Watanabe, Y., and M. Morii, "Full | |||
| Plaintext Recovery Attack on Broadcast RC4", International | Plaintext Recovery Attack on Broadcast RC4", International | |||
| Workshop on Fast Software Encryption , 2013. | Workshop on Fast Software Encryption , 2013. | |||
| [SALSA20-ATTACK] | [SALSA20-ATTACK] | |||
| Aumasson, J-P., Fischer, S., Khazaei, S., Meier, W., and | Aumasson, J-P., Fischer, S., Khazaei, S., Meier, W., and | |||
| C. Rechberger, "New Features of Latin Dances: Analysis of | C. Rechberger, "New Features of Latin Dances: Analysis of | |||
| Salsa, ChaCha, and Rumba", 2007, | Salsa, ChaCha, and Rumba", 2007, | |||
| <http://eprint.iacr.org/2007/472.pdf>. | <http://eprint.iacr.org/2007/472.pdf>. | |||
| [NACLCRYPTO] | ||||
| Bernstein, D., "Cryptography in NaCl", March 2009, | ||||
| <http://cr.yp.to/highspeed/naclcrypto-20090310.pdf>. | ||||
| [NIST-SHA3] | [NIST-SHA3] | |||
| Chang, S., Burr, W., Kelsey, J., Paul, S., and L. Bassham, | Chang, S., Burr, W., Kelsey, J., Paul, S., and L. Bassham, | |||
| "Third-Round Report of the SHA-3 Cryptographic Hash | "Third-Round Report of the SHA-3 Cryptographic Hash | |||
| Algorithm Competition", 2012, | Algorithm Competition", 2012, | |||
| <http://dx.doi.org/10.6028/NIST.IR.7896>. | <http://dx.doi.org/10.6028/NIST.IR.7896>. | |||
| Appendix A. Test vectors | ||||
| A.1. ChaCha20 | ||||
| The following blocks contain test vectors for ChaCha20. The first | ||||
| line contains the 256-bit key, the second the 64-bit nonce and the | ||||
| last line contains a prefix of the resulting ChaCha20 key-stream. | ||||
| KEY: 00000000000000000000000000000000000000000000000000000000 | ||||
| 00000000 | ||||
| NONCE: 0000000000000000 | ||||
| KEYSTREAM: 76b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc | ||||
| 8b770dc7da41597c5157488d7724e03fb8d84a376a43b8f41518a11c | ||||
| c387b669b2ee6586 | ||||
| KEY: 00000000000000000000000000000000000000000000000000000000 | ||||
| 00000001 | ||||
| NONCE: 0000000000000000 | ||||
| KEYSTREAM: 4540f05a9f1fb296d7736e7b208e3c96eb4fe1834688d2604f450952 | ||||
| ed432d41bbe2a0b6ea7566d2a5d1e7e20d42af2c53d792b1c43fea81 | ||||
| 7e9ad275ae546963 | ||||
| KEY: 00000000000000000000000000000000000000000000000000000000 | ||||
| 00000000 | ||||
| NONCE: 0000000000000001 | ||||
| KEYSTREAM: de9cba7bf3d69ef5e786dc63973f653a0b49e015adbff7134fcb7df1 | ||||
| 37821031e85a050278a7084527214f73efc7fa5b5277062eb7a0433e | ||||
| 445f41e3 | ||||
| KEY: 00000000000000000000000000000000000000000000000000000000 | ||||
| 00000000 | ||||
| NONCE: 0100000000000000 | ||||
| KEYSTREAM: ef3fdfd6c61578fbf5cf35bd3dd33b8009631634d21e42ac33960bd1 | ||||
| 38e50d32111e4caf237ee53ca8ad6426194a88545ddc497a0b466e7d | ||||
| 6bbdb0041b2f586b | ||||
| KEY: 000102030405060708090a0b0c0d0e0f101112131415161718191a1b | ||||
| 1c1d1e1f | ||||
| NONCE: 0001020304050607 | ||||
| KEYSTREAM: f798a189f195e66982105ffb640bb7757f579da31602fc93ec01ac56 | ||||
| f85ac3c134a4547b733b46413042c9440049176905d3be59ea1c53f1 | ||||
| 5916155c2be8241a38008b9a26bc35941e2444177c8ade6689de9526 | ||||
| 4986d95889fb60e84629c9bd9a5acb1cc118be563eb9b3a4a472f82e | ||||
| 09a7e778492b562ef7130e88dfe031c79db9d4f7c7a899151b9a4750 | ||||
| 32b63fc385245fe054e3dd5a97a5f576fe064025d3ce042c566ab2c5 | ||||
| 07b138db853e3d6959660996546cc9c4a6eafdc777c040d70eaf46f7 | ||||
| 6dad3979e5c5360c3317166a1c894c94a371876a94df7628fe4eaaf2 | ||||
| ccb27d5aaae0ad7ad0f9d4b6ad3b54098746d4524d38407a6deb3ab7 | ||||
| 8fab78c9 | ||||
| A.2. Poly1305 | ||||
| The following blocks contain test vectors for Poly1305. The first | ||||
| line contains a variable length input. The second contains the 256- | ||||
| bit key and the last contains the resulting, 128-bit tag. | ||||
| INPUT: 000000000000000000000000000000000000000000000000000000000000 | ||||
| 0000 | ||||
| KEY: 746869732069732033322d62797465206b657920666f7220506f6c793133 | ||||
| 3035 | ||||
| TAG: 49ec78090e481ec6c26b33b91ccc0307 | ||||
| INPUT: 48656c6c6f20776f726c6421 | ||||
| KEY: 746869732069732033322d62797465206b657920666f7220506f6c793133 | ||||
| 3035 | ||||
| TAG: a6f745008f81c916a20dcc74eef2b2f0 | ||||
| A.3. AEAD_CHACHA20_POLY1305 | ||||
| The following block contains a test vector for the | ||||
| AEAD_CHACHA20_POLY1305 algorithm. The first four lines consist of | ||||
| the standard inputs to an AEAD algorithm and the last line contains | ||||
| the encrypted and authenticated result. | ||||
| KEY: 4290bcb154173531f314af57f3be3b5006da371ece272afa1b5dbdd110 | ||||
| 0a1007 | ||||
| INPUT: 86d09974840bded2a5ca | ||||
| NONCE: cd7cf67be39c794a | ||||
| AD: 87e229d4500845a079c0 | ||||
| OUTPUT: e3e446f7ede9a19b62a4677dabf4e3d24b876bb284753896e1d6 | ||||
| To aid implementations, the next block contains some intermediate | ||||
| values in the AEAD_CHACHA20_POLY1305 algorithm. The first line | ||||
| contains the Poly1305 key that is derived and the second contains the | ||||
| raw bytes that are authenticated by Poly1305. | ||||
| KEY: 9052a6335505b6d507341169783dccac0e26f84ea84906b1558c05bf4815 | ||||
| 0fbe | ||||
| INPUT: 87e229d4500845a079c00a00000000000000e3e446f7ede9a19b62a40a00 | ||||
| 000000000000 | ||||
| Authors' Addresses | Authors' Addresses | |||
| Adam Langley | Adam Langley | |||
| Google Inc | Google Inc | |||
| Email: agl@google.com | Email: agl@google.com | |||
| Wan-Teh Chang | Wan-Teh Chang | |||
| Google Inc | Google Inc | |||
| End of changes. 32 change blocks. | ||||
| 305 lines changed or deleted | 108 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||