| < draft-mavrogiannopoulos-chacha-tls-02.txt | draft-mavrogiannopoulos-chacha-tls-03.txt > | |||
|---|---|---|---|---|
| Network Working Group A. Langley | Network Working Group A. Langley | |||
| Internet-Draft W. Chang | Internet-Draft W. Chang | |||
| Updates: 5246, 6347 Google Inc | Updates: 5246, 6347 (if approved) Google Inc | |||
| (if approved) N. Mavrogiannopoulos | Intended status: Standards Track N. Mavrogiannopoulos | |||
| Intended status: Standards Track Red Hat | Expires: March 26, 2015 Red Hat | |||
| Expires: September 4, 2014 J. Strombergson | J. Strombergson | |||
| Secworks Sweden AB | Secworks Sweden AB | |||
| S. Josefsson | S. Josefsson | |||
| SJD AB | SJD AB | |||
| March 3, 2014 | September 22, 2014 | |||
| The ChaCha Stream Cipher for Transport Layer Security | The ChaCha Stream Cipher for Transport Layer Security | |||
| draft-mavrogiannopoulos-chacha-tls-02 | draft-mavrogiannopoulos-chacha-tls-03 | |||
| Abstract | Abstract | |||
| This document describes the use of the ChaCha stream cipher with | This document describes the use of the ChaCha stream cipher with | |||
| HMAC-SHA1 and Poly1305 in Transport Layer Security (TLS) and Datagram | HMAC-SHA1 and Poly1305 in Transport Layer Security (TLS) and Datagram | |||
| Transport Layer Security (DTLS) protocols. | Transport Layer Security (DTLS) protocols. | |||
| Status of this Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 4, 2014. | This Internet-Draft will expire on March 26, 2015. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. The ChaCha Cipher . . . . . . . . . . . . . . . . . . . . . . 4 | 2. The ChaCha Cipher . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. The Poly1305 Authenticator . . . . . . . . . . . . . . . . . . 5 | 3. The Poly1305 Authenticator . . . . . . . . . . . . . . . . . 3 | |||
| 4. ChaCha20 Cipher Suites . . . . . . . . . . . . . . . . . . . . 6 | 4. ChaCha20 Cipher Suites . . . . . . . . . . . . . . . . . . . 3 | |||
| 4.1. ChaCha20 Cipher Suites with HMAC-SHA1 . . . . . . . . . . 6 | 4.1. ChaCha20 Cipher Suites with HMAC-SHA1 . . . . . . . . . . 4 | |||
| 4.2. ChaCha20 Cipher Suites with Poly1305 . . . . . . . . . . . 7 | 4.2. ChaCha20 Cipher Suites with Poly1305 . . . . . . . . . . 4 | |||
| 5. Updates to the TLS Standard Stream Cipher . . . . . . . . . . 8 | 5. Updates to the TLS Standard Stream Cipher . . . . . . . . . . 5 | |||
| 6. Updates to DTLS . . . . . . . . . . . . . . . . . . . . . . . 9 | 6. Updates to DTLS . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 9. Security Considerations . . . . . . . . . . . . . . . . . . . 12 | 9. Security Considerations . . . . . . . . . . . . . . . . . . . 6 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . . 13 | 10.1. Normative References . . . . . . . . . . . . . . . . . . 7 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . . 13 | 10.2. Informative References . . . . . . . . . . . . . . . . . 8 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 1. Introduction | 1. Introduction | |||
| This document describes the use of the ChaCha stream cipher in the | This document describes the use of the ChaCha stream cipher in the | |||
| Transport Layer Security (TLS) version 1.0 [RFC2246], TLS version 1.1 | Transport Layer Security (TLS) version 1.0 [RFC2246], TLS version 1.1 | |||
| [RFC4346], and TLS version 1.2 [RFC5246] protocols, as well as in the | [RFC4346], and TLS version 1.2 [RFC5246] protocols, as well as in the | |||
| Datagram Transport Layer Security (DTLS) versions 1.0 [RFC4347] and | Datagram Transport Layer Security (DTLS) versions 1.0 [RFC4347] and | |||
| 1.2 [RFC6347]. It can also be used with Secure Sockets Layer (SSL) | 1.2 [RFC6347]. It can also be used with Secure Sockets Layer (SSL) | |||
| version 3.0 [RFC6101]. | version 3.0 [RFC6101]. | |||
| skipping to change at page 4, line 7 ¶ | skipping to change at page 3, line 14 ¶ | |||
| Therefore, a new stream cipher to replace RC4 and address all the | Therefore, a new stream cipher to replace RC4 and address all the | |||
| previous issues is needed. It is the purpose of this document to | previous issues is needed. It is the purpose of this document to | |||
| describe a secure stream cipher for both TLS and DTLS that is | describe a secure stream cipher for both TLS and DTLS that is | |||
| comparable to RC4 in speed on a wide range of platforms and can be | comparable to RC4 in speed on a wide range of platforms and can be | |||
| implemented easily without being vulnerable to software side-channel | implemented easily without being vulnerable to software side-channel | |||
| attacks. | attacks. | |||
| 2. The ChaCha Cipher | 2. The ChaCha Cipher | |||
| ChaCha [CHACHA] is a stream cipher developed by D. J. Bernstein in | ChaCha [CHACHA] is a stream cipher developed by D. J. Bernstein in | |||
| 2008. It is a refinement of Salsa20 and was used as the core of the | 2008. It is a refinement of Salsa20 and was used as the core of the | |||
| SHA-3 finalist, BLAKE. | SHA-3 finalist, BLAKE. | |||
| The variant of ChaCha used in this document is ChaCha with 20 rounds, | The variant of ChaCha used in this document is ChaCha with 20 rounds, | |||
| a 96-bit nonce and a 256 bit key, which will be referred to as | a 96-bit nonce and a 256 bit key, which will be referred to as | |||
| ChaCha20 in the rest of this document. This is the conservative | ChaCha20 in the rest of this document. This is the conservative | |||
| variant (with respect to security) of the ChaCha family and is | variant (with respect to security) of the ChaCha family and is | |||
| described in [I-D.nir-cfrg-chacha20-poly1305]. | described in [I-D.nir-cfrg-chacha20-poly1305]. | |||
| 3. The Poly1305 Authenticator | 3. The Poly1305 Authenticator | |||
| Poly1305 [POLY1305] is a Wegman-Carter, one-time authenticator | Poly1305 [POLY1305] is a Wegman-Carter, one-time authenticator | |||
| designed by D. J. Bernstein. Poly1305 takes a 32-byte, one-time key | designed by D. J. Bernstein. Poly1305 takes a 32-byte, one-time | |||
| and a message and produces a 16-byte tag that authenticates the | key and a message and produces a 16-byte tag that authenticates the | |||
| message such that an attacker has a negligible chance of producing a | message such that an attacker has a negligible chance of producing a | |||
| valid tag for an inauthentic message. It is described in | valid tag for an inauthentic message. It is described in | |||
| [I-D.nir-cfrg-chacha20-poly1305]. | [I-D.nir-cfrg-chacha20-poly1305]. | |||
| 4. ChaCha20 Cipher Suites | 4. ChaCha20 Cipher Suites | |||
| In the next sections different ciphersuites are defined that utilize | In the next sections different ciphersuites are defined that utilize | |||
| the ChaCha20 cipher combined with various message authentication | the ChaCha20 cipher combined with various message authentication | |||
| methods. | methods. | |||
| skipping to change at page 6, line 32 ¶ | skipping to change at page 4, line 11 ¶ | |||
| the client_write_IV (when the client is sending) or the | the client_write_IV (when the client is sending) or the | |||
| server_write_IV (when the server is sending). The salt length | server_write_IV (when the server is sending). The salt length | |||
| (SecurityParameters.fixed_iv_length) is 4 bytes. The record_counter | (SecurityParameters.fixed_iv_length) is 4 bytes. The record_counter | |||
| is the 64-bit TLS record sequence number. In case of DTLS the | is the 64-bit TLS record sequence number. In case of DTLS the | |||
| record_counter is formed as the concatenation of the 16-bit epoch | record_counter is formed as the concatenation of the 16-bit epoch | |||
| with the 48-bit sequence number. | with the 48-bit sequence number. | |||
| In both TLS and DTLS the ChaChaNonce is implicit and not sent as part | In both TLS and DTLS the ChaChaNonce is implicit and not sent as part | |||
| of the packet. | of the packet. | |||
| The pseudorandom function (PRF) for TLS 1.2 is the TLS PRF with SHA- | The pseudorandom function (PRF) for TLS 1.2 is the TLS PRF with | |||
| 256 as the hash function. When used with TLS versions prior to 1.2, | SHA-256 as the hash function. When used with TLS versions prior to | |||
| the PRF is calculated as specified in the appropriate version of the | 1.2, the PRF is calculated as specified in the appropriate version of | |||
| TLS specification. | the TLS specification. | |||
| The RSA, DHE_RSA, ECDHE_RSA, ECDHE_ECDSA, PSK, DHE_PSK, RSA_PSK, | The RSA, DHE_RSA, ECDHE_RSA, ECDHE_ECDSA, PSK, DHE_PSK, RSA_PSK, | |||
| ECDHE_PSK key exchanges are performed as defined in [RFC5246], | ECDHE_PSK key exchanges are performed as defined in [RFC5246], | |||
| [RFC4492], and [RFC5489]. | [RFC4492], and [RFC5489]. | |||
| 4.1. ChaCha20 Cipher Suites with HMAC-SHA1 | 4.1. ChaCha20 Cipher Suites with HMAC-SHA1 | |||
| The following CipherSuites are defined. | The following CipherSuites are defined. | |||
| TLS_RSA_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} | TLS_RSA_WITH_CHACHA20_SHA = {0xTBD, 0xTBD} | |||
| skipping to change at page 12, line 20 ¶ | skipping to change at page 6, line 51 ¶ | |||
| problems with either cipher, and ChaCha20 is shown to be more | problems with either cipher, and ChaCha20 is shown to be more | |||
| resistant in certain attacks than Salsa20 [SALSA20-ATTACK]. | resistant in certain attacks than Salsa20 [SALSA20-ATTACK]. | |||
| Furthermore ChaCha20 was used as the core of the BLAKE hash function, | Furthermore ChaCha20 was used as the core of the BLAKE hash function, | |||
| a SHA3 finalist, that had received considerable cryptanalytic | a SHA3 finalist, that had received considerable cryptanalytic | |||
| attention [NIST-SHA3]. | attention [NIST-SHA3]. | |||
| Poly1305 is designed to ensure that forged messages are rejected with | Poly1305 is designed to ensure that forged messages are rejected with | |||
| a probability of 1-(n/2^102) for a 16*n byte message, even after | a probability of 1-(n/2^102) for a 16*n byte message, even after | |||
| sending 2^64 legitimate messages. | sending 2^64 legitimate messages. | |||
| The cipher suites described in this document require that an nonce is | The cipher suites described in this document require that a nonce is | |||
| never repeated under the same key. The design presented ensures that | never repeated under the same key. The design presented ensures that | |||
| by using the TLS sequence number which is unique and does not wrap | by using the TLS sequence number which is unique and does not wrap | |||
| [RFC5246]. | [RFC5246]. | |||
| This document should not introduce any other security considerations | This document should not introduce any other security considerations | |||
| than those that directly follow from the use of the stream cipher | than those that directly follow from the use of the stream cipher | |||
| ChaCha20, the AEAD_CHACHA20_POLY1305 construction, and those that | ChaCha20, the AEAD_CHACHA20_POLY1305 construction, and those that | |||
| directly follow from introducing any set of stream cipher suites into | directly follow from introducing any set of stream cipher suites into | |||
| TLS and DTLS (see also the Security Considerations section of | TLS and DTLS (see also the Security Considerations section of | |||
| [I-D.nir-cfrg-chacha20-poly1305]). | [I-D.nir-cfrg-chacha20-poly1305]). | |||
| skipping to change at page 13, line 41 ¶ | skipping to change at page 8, line 7 ¶ | |||
| [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer | [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer | |||
| Security Version 1.2", RFC 6347, January 2012. | Security Version 1.2", RFC 6347, January 2012. | |||
| [I-D.nir-cfrg-chacha20-poly1305] | [I-D.nir-cfrg-chacha20-poly1305] | |||
| Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF | Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF | |||
| protocols", draft-nir-cfrg-chacha20-poly1305-01 (work in | protocols", draft-nir-cfrg-chacha20-poly1305-01 (work in | |||
| progress), January 2014. | progress), January 2014. | |||
| 10.2. Informative References | 10.2. Informative References | |||
| [CHACHA] Bernstein, D., "ChaCha, a variant of Salsa20", | [CHACHA] Bernstein, D., "ChaCha, a variant of Salsa20", January | |||
| January 2008, | 2008, <http://cr.yp.to/chacha/chacha-20080128.pdf>. | |||
| <http://cr.yp.to/chacha/chacha-20080128.pdf>. | ||||
| [POLY1305] | [POLY1305] | |||
| Bernstein, D., "The Poly1305-AES message-authentication | Bernstein, D., "The Poly1305-AES message-authentication | |||
| code.", March 2005, | code.", March 2005, | |||
| <http://cr.yp.to/mac/poly1305-20050329.pdf>. | <http://cr.yp.to/mac/poly1305-20050329.pdf>. | |||
| [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated | [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated | |||
| Encryption", RFC 5116, January 2008. | Encryption", RFC 5116, January 2008. | |||
| [SALSA20SPEC] | [SALSA20SPEC] | |||
| skipping to change at page 14, line 25 ¶ | skipping to change at page 8, line 38 ¶ | |||
| <http://cr.yp.to/snuffle/security.pdf>. | <http://cr.yp.to/snuffle/security.pdf>. | |||
| [ESTREAM] Babbage, S., DeCanniere, C., Cantenaut, A., Cid, C., | [ESTREAM] Babbage, S., DeCanniere, C., Cantenaut, A., Cid, C., | |||
| Gilbert, H., Johansson, T., Parker, M., Preneel, B., | Gilbert, H., Johansson, T., Parker, M., Preneel, B., | |||
| Rijmen, V., and M. Robshaw, "The eSTREAM Portfolio (rev. | Rijmen, V., and M. Robshaw, "The eSTREAM Portfolio (rev. | |||
| 1)", September 2008, | 1)", September 2008, | |||
| <http://www.ecrypt.eu.org/stream/finallist.html>. | <http://www.ecrypt.eu.org/stream/finallist.html>. | |||
| [CBC-ATTACK] | [CBC-ATTACK] | |||
| AlFardan, N. and K. Paterson, "Lucky Thirteen: Breaking | AlFardan, N. and K. Paterson, "Lucky Thirteen: Breaking | |||
| the TLS and DTLS Record Protocols", IEEE Symposium on | the TLS and DTLS Record Protocols", IEEE Symposium on | |||
| Security and Privacy , 2013. | Security and Privacy , 2013. | |||
| [RC4-ATTACK] | [RC4-ATTACK] | |||
| Isobe, T., Ohigashi, T., Watanabe, Y., and M. Morii, "Full | Isobe, T., Ohigashi, T., Watanabe, Y., and M. Morii, "Full | |||
| Plaintext Recovery Attack on Broadcast RC4", International | Plaintext Recovery Attack on Broadcast RC4", International | |||
| Workshop on Fast Software Encryption , 2013. | Workshop on Fast Software Encryption , 2013. | |||
| [SALSA20-ATTACK] | [SALSA20-ATTACK] | |||
| Aumasson, J-P., Fischer, S., Khazaei, S., Meier, W., and | Aumasson, J-P., Fischer, S., Khazaei, S., Meier, W., and | |||
| C. Rechberger, "New Features of Latin Dances: Analysis of | C. Rechberger, "New Features of Latin Dances: Analysis of | |||
| End of changes. 12 change blocks. | ||||
| 35 lines changed or deleted | 34 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||