| < draft-nir-ipsecme-chacha20-poly1305-04.txt | draft-nir-ipsecme-chacha20-poly1305-05.txt > | |||
|---|---|---|---|---|
| Network Working Group Y. Nir | Network Working Group Y. Nir | |||
| Internet-Draft Check Point | Internet-Draft Check Point | |||
| Intended status: Standards Track June 1, 2014 | Intended status: Standards Track November 24, 2014 | |||
| Expires: December 3, 2014 | Expires: May 28, 2015 | |||
| ChaCha20, Poly1305 and their use in IPsec | ChaCha20, Poly1305 and their use in IPsec | |||
| draft-nir-ipsecme-chacha20-poly1305-04 | draft-nir-ipsecme-chacha20-poly1305-05 | |||
| Abstract | Abstract | |||
| This document describes the use of the ChaCha20 stream cipher along | This document describes the use of the ChaCha20 stream cipher along | |||
| with the Poly1305 authenticator, combined into an AEAD algorithm for | with the Poly1305 authenticator, combined into an AEAD algorithm for | |||
| IPsec. | IPsec. | |||
| Status of this Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on December 3, 2014. | This Internet-Draft will expire on May 28, 2015. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Conventions Used in This Document . . . . . . . . . . . . . 3 | 1.1. Conventions Used in This Document . . . . . . . . . . . . 2 | |||
| 2. ESP_ChaCha20-Poly1305 for ESP . . . . . . . . . . . . . . . . . 3 | 2. ESP_ChaCha20-Poly1305 for ESP . . . . . . . . . . . . . . . . 3 | |||
| 2.1. AAD Construction . . . . . . . . . . . . . . . . . . . . . 4 | 2.1. AAD Construction . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. Use in IKEv2 . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 3. Use in IKEv2 . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. UI Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 4. UI Suite . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 5 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 6 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . . 6 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 6 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . . 7 | 8.2. Informative References . . . . . . . . . . . . . . . . . 6 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 8 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 1. Introduction | 1. Introduction | |||
| The Advanced Encryption Standard (AES - [FIPS-197]) has become the | The Advanced Encryption Standard (AES - [FIPS-197]) has become the | |||
| gold standard in encryption. Its efficient design, wide | gold standard in encryption. Its efficient design, wide | |||
| implementation, and hardware support allow for high performance in | implementation, and hardware support allow for high performance in | |||
| many areas, including IPsec VPNs. On most modern platforms, AES is | many areas, including IPsec VPNs. On most modern platforms, AES is | |||
| anywhere from 4x to 10x as fast as the previous most-used cipher, | anywhere from 4x to 10x as fast as the previous most-used cipher, | |||
| 3-key Data Encryption Standard (3DES - [FIPS-46]), which makes it not | 3-key Data Encryption Standard (3DES - [FIPS-46]), which makes it not | |||
| only the best choice, but the only choice. | only the best choice, but the only choice. | |||
| skipping to change at page 3, line 40 ¶ | skipping to change at page 3, line 10 ¶ | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| 2. ESP_ChaCha20-Poly1305 for ESP | 2. ESP_ChaCha20-Poly1305 for ESP | |||
| ESP_ChaCha20-Poly1305 is a combined mode algorithm, or AEAD. The | ESP_ChaCha20-Poly1305 is a combined mode algorithm, or AEAD. The | |||
| construction follows the AEAD construction in section 2.7 of | construction follows the AEAD construction in section 2.7 of | |||
| [chacha_poly]: | [chacha_poly]: | |||
| o The IV is 64-bit, and is used as part of the nonce. | o The IV is 64-bit, and is used as part of the nonce. | |||
| o A 32-bit sender ID is prepended to the 64-bit IV to form the 96- | o A 32-bit sender ID is prepended to the 64-bit IV to form the | |||
| bit nonce. For regular IPsec, this is set to all zeros. IPsec | 96-bit nonce. For regular IPsec, this is set to all zeros. IPsec | |||
| extensions that allow multiple senders, such as GDOI ([RFC6407]) | extensions that allow multiple senders, such as GDOI ([RFC6407]) | |||
| or [RFC6054] may set this to different values. | or [RFC6054] may set this to different values. | |||
| o The encryption key is 256-bit. | o The encryption key is 256-bit. | |||
| o The Internet Key Exchange protocol (IKE - [RFC5996]) generates a | o The Internet Key Exchange protocol (IKE - [RFC7296]) generates a | |||
| bitstring called KEYMAT that is generated from a PRF. That KEYMAT | bitstring called KEYMAT that is generated from a PRF. That KEYMAT | |||
| is divided into keys for encryption, message authentication and | is divided into keys for encryption, message authentication and | |||
| whatever else is needed. For the ChaCha20 algorithm, 256 bits are | whatever else is needed. For the ChaCha20 algorithm, 256 bits are | |||
| used for the key. TBD: do we want an extra 32 bits as salt for | used for the key. TBD: do we want an extra 32 bits as salt for | |||
| the nonce like in GCM? | the nonce like in GCM? | |||
| o The ChaCha20 encryption algorithm requires the following | o The ChaCha20 encryption algorithm requires the following | |||
| parameters: a 256-bit key, a 96-bit nonce, and a 32-bit initial | parameters: a 256-bit key, a 96-bit nonce, and a 32-bit initial | |||
| block counter. For ESP we set these as follows: | block counter. For ESP we set these as follows: | |||
| * The key is set to the key mentioned above. | * The key is set to the key mentioned above. | |||
| * The 96-bit nonce is formed from a concatenation of the 32-bit | * The 96-bit nonce is formed from a concatenation of the 32-bit | |||
| sender ID and the 64-bit IV, as described above. | sender ID and the 64-bit IV, as described above. | |||
| * The Initial Block Counter is set to one (1). The reason that | * The Initial Block Counter is set to one (1). The reason that | |||
| one is used for the initial counter rather than zero is that | one is used for the initial counter rather than zero is that | |||
| zero is reserved for generating the one-time Poly1305 key (see | zero is reserved for generating the one-time Poly1305 key (see | |||
| below) | below) | |||
| o As ChaCha20 is not a block cipher, no padding should be necessary. | o As ChaCha20 is not a block cipher, no padding should be necessary. | |||
| However, in keeping with the specification in RFC 4303, the ESP | However, in keeping with the specification in RFC 4303, the ESP | |||
| does have padding, so as to align the buffer to an integral | does have padding, so as to align the buffer to an integral | |||
| skipping to change at page 5, line 36 ¶ | skipping to change at page 5, line 9 ¶ | |||
| IKEv2: | IKEv2: | |||
| Encryption ESP_ChaCha20-Poly1305 | Encryption ESP_ChaCha20-Poly1305 | |||
| Integrity NULL | Integrity NULL | |||
| Pseudo-random function HMAC-SHA-256 [RFC4868] | Pseudo-random function HMAC-SHA-256 [RFC4868] | |||
| Diffie-Hellman group 256-bit random ECP group [RFC5903] | Diffie-Hellman group 256-bit random ECP group [RFC5903] | |||
| HMAC-SHA-256 is used here because there is no natural way to use | HMAC-SHA-256 is used here because there is no natural way to use | |||
| either ChaCha20 or Poly1305 as an IKEv2 PRF. See discussion in | either ChaCha20 or Poly1305 as an IKEv2 PRF. See discussion in | |||
| section 2.7 of [chacha_poly]. | section 2.7 of [chacha_poly]. | |||
| TBD: Do we want to define a special PRF function here? Something can | ||||
| be concocted from using ChaCha20 as the PRF function and Poly1305 for | ||||
| shortening keys, but somehow this looks unwieldy. | ||||
| TBD: Should we replace the Diffie-Hellman group with ED25519 ??? | TBD: Should we replace the Diffie-Hellman group with ED25519 ??? | |||
| 5. Security Considerations | 5. Security Considerations | |||
| The ChaCha20 cipher is designed to provide 256-bit security. | The ChaCha20 cipher is designed to provide 256-bit security. | |||
| The Poly1305 authenticator is designed to ensure that forged messages | The Poly1305 authenticator is designed to ensure that forged messages | |||
| are rejected with a probability of 1-(n/(2^102)) for a 16n-byte | are rejected with a probability of 1-(n/(2^102)) for a 16n-byte | |||
| message, even after sending 2^64 legitimate messages, so it is SUF- | message, even after sending 2^64 legitimate messages, so it is SUF- | |||
| CMA in the terminology of [AE]. | CMA in the terminology of [AE]. | |||
| skipping to change at page 6, line 27 ¶ | skipping to change at page 5, line 50 ¶ | |||
| IANA is requested to assign one value from the IKEv2 "Transform Type | IANA is requested to assign one value from the IKEv2 "Transform Type | |||
| 1 - Encryption Algorithm Transform IDs" registry, with name | 1 - Encryption Algorithm Transform IDs" registry, with name | |||
| ESP_ChaCha20-Poly1305, and this document as reference. | ESP_ChaCha20-Poly1305, and this document as reference. | |||
| IANA is also requested to assign the identifier "VPN-C" with this | IANA is also requested to assign the identifier "VPN-C" with this | |||
| document as reference from the "Cryptographic Suites for IKEv1, | document as reference from the "Cryptographic Suites for IKEv1, | |||
| IKEv2, and IPsec" registry. | IKEv2, and IPsec" registry. | |||
| 7. Acknowledgements | 7. Acknowledgements | |||
| All of the algorithms in this document were designed by D. J. | All of the algorithms in this document were designed by D. J. | |||
| Bernstein. The AEAD construction was designed by Adam Langley. The | Bernstein. The AEAD construction was designed by Adam Langley. The | |||
| author would also like to thank Adam for helpful comments, as well as | author would also like to thank Adam for helpful comments, as well as | |||
| Yaron Sheffer for telling me to write the algorithms draft. | Yaron Sheffer for telling me to write the algorithms draft. | |||
| 8. References | 8. References | |||
| 8.1. Normative References | 8.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", | [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC | |||
| RFC 4303, December 2005. | 4303, December 2005. | |||
| [RFC5282] Black, D. and D. McGrew, "Using Authenticated Encryption | [RFC5282] Black, D. and D. McGrew, "Using Authenticated Encryption | |||
| Algorithms with the Encrypted Payload of the Internet Key | Algorithms with the Encrypted Payload of the Internet Key | |||
| Exchange version 2 (IKEv2) Protocol", RFC 5282, | Exchange version 2 (IKEv2) Protocol", RFC 5282, August | |||
| August 2008. | 2008. | |||
| [RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen, | ||||
| "Internet Key Exchange Protocol Version 2 (IKEv2)", | ||||
| RFC 5996, September 2010. | ||||
| [RFC6054] McGrew, D. and B. Weis, "Using Counter Modes with | [RFC6054] McGrew, D. and B. Weis, "Using Counter Modes with | |||
| Encapsulating Security Payload (ESP) and Authentication | Encapsulating Security Payload (ESP) and Authentication | |||
| Header (AH) to Protect Group Traffic", RFC 6054, | Header (AH) to Protect Group Traffic", RFC 6054, November | |||
| November 2010. | 2010. | |||
| [RFC7296] Kivinen, T., Kaufman, C., Hoffman, P., Nir, Y., and P. | ||||
| Eronen, "Internet Key Exchange Protocol Version 2 | ||||
| (IKEv2)", RFC 7296, October 2014. | ||||
| [chacha_poly] | [chacha_poly] | |||
| Langley, A. and Y. Nir, "ChaCha20 and Poly1305 for IETF | Langley, A. and Y. Nir, "ChaCha20 and Poly1305 for IETF | |||
| protocols", draft-nir-cfrg-chacha20-poly1305-01 (work in | protocols", draft-nir-cfrg-chacha20-poly1305-01 (work in | |||
| progress), January 2014. | progress), January 2014. | |||
| 8.2. Informative References | 8.2. Informative References | |||
| [AE] Bellare, M. and C. Namprempre, "Authenticated Encryption: | [AE] Bellare, M. and C. Namprempre, "Authenticated Encryption: | |||
| Relations among notions and analysis of the generic | Relations among notions and analysis of the generic | |||
| composition paradigm", | composition paradigm", 2000, | |||
| <http://cseweb.ucsd.edu/~mihir/papers/oem.html>. | <http://cseweb.ucsd.edu/~mihir/papers/oem.html>. | |||
| [FIPS-197] | [FIPS-197] | |||
| National Institute of Standards and Technology, "Advanced | National Institute of Standards and Technology, "Advanced | |||
| Encryption Standard (AES)", FIPS PUB 197, November 2001, < | Encryption Standard (AES)", FIPS PUB 197, November 2001, | |||
| http://csrc.nist.gov/publications/fips/fips197/ | <http://csrc.nist.gov/publications/fips/fips197/ | |||
| fips-197.pdf>. | fips-197.pdf>. | |||
| [FIPS-46] National Institute of Standards and Technology, "Data | [FIPS-46] National Institute of Standards and Technology, "Data | |||
| Encryption Standard", FIPS PUB 46-2, December 1993, | Encryption Standard", FIPS PUB 46-2, December 1993, | |||
| <http://www.itl.nist.gov/fipspubs/fip46-2.htm>. | <http://www.itl.nist.gov/fipspubs/fip46-2.htm>. | |||
| [RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode | [RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode | |||
| (GCM) in IPsec Encapsulating Security Payload (ESP)", | (GCM) in IPsec Encapsulating Security Payload (ESP)", RFC | |||
| RFC 4106, June 2005. | 4106, June 2005. | |||
| [RFC4308] Hoffman, P., "Cryptographic Suites for IPsec", RFC 4308, | [RFC4308] Hoffman, P., "Cryptographic Suites for IPsec", RFC 4308, | |||
| December 2005. | December 2005. | |||
| [RFC6379] Law, L. and J. Solinas, "Suite B Cryptographic Suites for | [RFC6379] Law, L. and J. Solinas, "Suite B Cryptographic Suites for | |||
| IPsec", RFC 6379, October 2011. | IPsec", RFC 6379, October 2011. | |||
| [RFC6407] Weis, B., Rowles, S., and T. Hardjono, "The Group Domain | [RFC6407] Weis, B., Rowles, S., and T. Hardjono, "The Group Domain | |||
| of Interpretation", RFC 6407, October 2011. | of Interpretation", RFC 6407, October 2011. | |||
| [standby-cipher] | [standby-cipher] | |||
| McGrew, D., Grieco, A., and Y. Sheffer, "Selection of | McGrew, D., Grieco, A., and Y. Sheffer, "Selection of | |||
| Future Cryptographic Standards", | Future Cryptographic Standards", draft-mcgrew-standby- | |||
| draft-mcgrew-standby-cipher (work in progress). | cipher (work in progress), January 2013. | |||
| Author's Address | Author's Address | |||
| Yoav Nir | Yoav Nir | |||
| Check Point Software Technologies Ltd. | Check Point Software Technologies Ltd. | |||
| 5 Hasolelim st. | 5 Hasolelim st. | |||
| Tel Aviv 6789735 | Tel Aviv 6789735 | |||
| Israel | Israel | |||
| Email: ynir.ietf@gmail.com | Email: ynir.ietf@gmail.com | |||
| End of changes. 19 change blocks. | ||||
| 40 lines changed or deleted | 45 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||