idnits 2.17.1 draft-birrane-dtn-bpsec-suiteb-profile-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 31, 2015) is 3038 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- == Unused Reference: 'I-D.hennessy-bsp-suiteb-ciphersuites' is defined on line 293, but no explicit reference was found in the text == Outdated reference: A later version (-27) exists of draft-ietf-dtn-bpsec-00 Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Delay-Tolerant Networking E. Birrane 3 Internet-Draft JHU/APL 4 Intended status: Experimental December 31, 2015 5 Expires: July 3, 2016 7 Suite B Profile for Bundle Protocol Security (BPSec) 8 draft-birrane-dtn-bpsec-suiteb-profile-00 10 Abstract 12 The United States Government has published guidelines for "NSA Suite 13 B Cryptography" dated July, 2005, which defines cryptographic 14 algorithm policy for national security applications. This document 15 specifies the conventions for using Suite B cryptography with Bundle 16 Protocol Security (BPSec). 18 Since many of the Suite B algorithms enjoy uses in other environments 19 as well, the majority of the conventions needed for the Suite B 20 algorithms are already specified in other documents. This document 21 references the source of these conventions, with some relevant 22 details repeated to aid developers that choose to support Suite B 23 within BPSec. 25 Status of This Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at http://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on July 3, 2016. 42 Copyright Notice 44 Copyright (c) 2015 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (http://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the Simplified BSD License. 57 Table of Contents 59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 60 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 2 61 3. Suite B Requirements . . . . . . . . . . . . . . . . . . . . 3 62 4. Minimum Levels of Security (minLOS) . . . . . . . . . . . . . 3 63 4.1. Non-signature Primitives . . . . . . . . . . . . . . . . 3 64 4.2. Suite B Authentication . . . . . . . . . . . . . . . . . 4 65 4.3. Digital Signatures and Certificates . . . . . . . . . . . 5 66 5. Suite B Ciphersuites . . . . . . . . . . . . . . . . . . . . 5 67 6. Security Considerations . . . . . . . . . . . . . . . . . . . 5 68 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 69 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 70 8.1. Normative References . . . . . . . . . . . . . . . . . . 6 71 8.2. Informative References . . . . . . . . . . . . . . . . . 7 72 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 7 74 1. Introduction 76 This document specifies the conventions for using NSA Suite B 77 Cryptography [SuiteB] with Bundle Protocol Security (BPSec) 78 [I-D.ietf-dtn-bpsec]. This document is an update to the Suite-B 79 profile created by Burgin and Hennessy 80 [I-D.hennessy-bsp-suiteb-profile]. This update adapts the profile 81 from BSP [RFC6257] to BPSec. 83 BPSec provides source authentication, data integrity, and data 84 confidentiality services for the Bundle Protocol (BP) [RFC5050]. 86 [I-D.birrane-dtn-bpsec-suiteb-ciphersuites] defines ciphersuites for 87 BPSec that are comprised of Suite B algorithms for use with the 88 security block types BAB, BIB, and BCB. Suite B compliant 89 implementations for BPSec MUST use one of these ciphersuites, 90 depending upon the desired security level and security services. 92 2. Requirements Language 94 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 95 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 96 "OPTIONAL" in this document are to be interpreted as described in 97 [RFC2119]. 99 3. Suite B Requirements 101 Suite B requires that key establishment and signature algorithms be 102 based upon Elliptic Curve Cryptography and that the encryption 103 algorithm be AES [FIPS197]. Suite B includes [SuiteB]: 105 Encryption: 106 Advanced Encryption Standard (AES) [FIPS197] (key sizes of 107 128 and 256 bits) 109 Digital Signature: 110 Elliptic Curve Digital Signature Algorithm (ECDSA) 111 [FIPS186-3] (using the curves with 256- and 384-bit prime 112 moduli). 114 Key Exchange: 115 Elliptic Curve Diffie-Hellman (ECDH) [SP800-56A] (using the 116 curves with 256- and 384-bit prime moduli). 118 Hashes: 119 SHA-256 and SHA-384 [FIPS180-3]. 121 The two elliptic curves used in Suite B appear in the literature 122 under two different names. For sake of clarity, we list both names 123 below. 125 +-------+-----------+-----------+---------------------+ 126 | Curve | NIST Name | SECG Name | OID [FIPS186-3] | 127 +-------+-----------+-----------+---------------------+ 128 | P-256 | nistp256 | secp256r1 | 1.2.840.10045.3.1.7 | 129 | P-384 | nistp384 | secp384r1 | 1.3.132.0.34 | 130 +-------+-----------+-----------+---------------------+ 132 4. Minimum Levels of Security (minLOS) 134 Suite B provides for two levels of cryptographic security, namely a 135 128-bit minimum level of security (minLOS_128) and a 192-bit minimum 136 level of security (minLOS_192). Each level defines a minimum 137 strength that all cryptographic algorithms must provide. 139 4.1. Non-signature Primitives 141 We divide the Suite B non-signature primitives into two columns as 142 shown in Table 1. 144 +------------------+-------------------+-------------------+ 145 | | Column 1 | Column 2 | 146 +------------------+-------------------+-------------------+ 147 | Encryption | AES-128 | AES-256 | 148 | Key Agreement | ECDH on P-256 | ECDH on P-384 | 149 | Key Wrap | AES-128 Key Wrap | AES-256 Key Wrap | 150 | Hash for PRF/MAC | SHA-256 | SHA-384 | 151 +------------------+-------------------+-------------------+ 153 Table 1: Suite B Cryptographic Non-Signature Primitives 155 At the 128-bit minimum level of security: 157 the non-signature primitives MUST either come exclusively from 158 Column 1 or exclusively from Column 2, with Column 1 being the 159 preferred suite. 161 At the 192-bit minimum level of security: 163 the non-signature primitives MUST come exclusively from Column 2. 165 4.2. Suite B Authentication 167 Digital signatures using ECDSA MUST be used for authentication by 168 Suite B compliant BPSec implementations. To simplify notation, 169 ECDSA- 256 will be used to represent an instantiation of the ECDSA 170 algorithm using the P-256 curve and the SHA-256 hash function, and 171 ECDSA-384 will be used to represent an instantiation of the ECDSA 172 algorithm using the P-384 curve and the SHA-384 hash function. 174 If configured at a minimum level of security of 128 bits, a Suite B 175 compliant BPSec implementation MUST use either ECDSA-256 or ECDSA-384 176 for authentication. It is allowable for one party to authenticate 177 with ECDSA-256 and the other party to authenticate with ECDSA-384. 179 Security-aware nodes in a Suite B compliant BPSec implementation 180 configured at a minimum level of security of 128 bits MUST be able to 181 verify ECDSA-256 signatures and SHOULD be able to verify ECDSA-384 182 signatures unless it is absolutely certain that the implementation 183 will never need to verify certificates from an authority which uses 184 an ECDSA-384 signing key. 186 Security-aware nodes in a Suite B compliant BPSec implementation 187 configured at a minimum level of security of 192 bits MUST use ECDSA- 188 384 for authentication and MUST be able to verify ECDSA-384 189 signatures. 191 4.3. Digital Signatures and Certificates 193 Security-aware nodes in a Suite B compliant BPSec implementation, at 194 both minimum levels of security, MUST each use an X.509 certificate 195 that complies with the "Suite B Certificate and Certificate 196 Revocation List (CRL) Profile" [RFC5759] and that contains an 197 elliptic curve public key with the key usage field set for digital 198 signature. The endpoint IDs MUST be placed in the subjectAltName 199 field of the X.509 certificate. 201 5. Suite B Ciphersuites 203 Each system MUST specify a security level of a minimum of 128 bits or 204 192 bits. The security level determines which suites from 205 [I-D.birrane-dtn-bpsec-suiteb-ciphersuites] are allowed. 207 Each of the ciphersuites specified in 208 [I-D.birrane-dtn-bpsec-suiteb-ciphersuites] satisfy the Suite B 209 requirements in Section 3 of this document. 211 At the 128-bit minimum level of security: 213 If a Block Integrity Block (BIB) is included in the bundle, one of 214 BIB-ECDSA-SHA256 or BIB-ECDSA-SHA384 MUST be used by Suite B 215 compliant BPSec implementations. 217 If a Block Confidentiality Block (BCB) is included in the bundle, 218 one of BCB-ECDH-SHA256-AES128 or BCB-ECDH-SHA384-AES256 MUST be 219 used by Suite B compliant BPSec implementations. 221 At the 192-bit minimum level of security: 223 If a Block Integrity Block (BIB) is included in the bundle, BIB- 224 ECDSA-SHA384 MUST be used by Suite B compliant BPSec 225 implementations. 227 If a Block Confidentiality Block (BCB) is included in the bundle, 228 BCB-ECDH-SHA384-AES256 MUST be used by Suite B compliant BPSec 229 implementations. 231 6. Security Considerations 233 Two levels of security may be achieved using this specification. 234 Users must consider their risk environment to determine which level 235 is appropriate for their own use. 237 This specification does not consider the CMS Block of the BPSec 238 specification. Details for using CMS in Suite B can be found in 240 [RFC6318]. The security considerations in [RFC5652] discuss the CMS 241 as a method for digitally signing data and encrypting data. 243 7. IANA Considerations 245 None. 247 8. References 249 8.1. Normative References 251 [FIPS180-3] 252 National Institute of Standards and Technology, "Secure 253 Hash Standard", FIPS PUB 180-3, October 2008. 255 [FIPS186-3] 256 National Institute of Standards and Technology, "Digital 257 Signature Standard (DSS)", FIPS PUB 186-3, June 2009. 259 [FIPS197] National Institute of Standards and Technology, "Advanced 260 Encryption Standard (AES)", FIPS PUB 197, November 2001. 262 [I-D.birrane-dtn-bpsec-suiteb-ciphersuites] 263 Birrane, E., "Suite B Ciphersuites for Bundle Protocol 264 Security (BPSec)", draft-birrane-dtn-bpsec-suiteb- 265 ciphersuites-00 (work in progress), December 2015. 267 [I-D.ietf-dtn-bpsec] 268 Birrane, E., Pierce-Mayer, J., and D. Iannicca, "Bundle 269 Protocol Security Specification", draft-ietf-dtn-bpsec-00 270 (work in progress), December 2015. 272 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 273 Requirement Levels", BCP 14, RFC 2119, 274 DOI 10.17487/RFC2119, March 1997, 275 . 277 [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, 278 RFC 5652, DOI 10.17487/RFC5652, September 2009, 279 . 281 [RFC5759] Solinas, J. and L. Zieglar, "Suite B Certificate and 282 Certificate Revocation List (CRL) Profile", RFC 5759, 283 DOI 10.17487/RFC5759, January 2010, 284 . 286 [RFC6318] Housley, R. and J. Solinas, "Suite B in Secure/ 287 Multipurpose Internet Mail Extensions (S/MIME)", RFC 6318, 288 DOI 10.17487/RFC6318, June 2011, 289 . 291 8.2. Informative References 293 [I-D.hennessy-bsp-suiteb-ciphersuites] 294 Burgin, K. and A. Hennessy, "Suite B Ciphersuites for the 295 Bundle Security Protocol", draft-hennessy-bsp-suiteb- 296 ciphersuites-00 (work in progress), March 2012. 298 [I-D.hennessy-bsp-suiteb-profile] 299 Burgin, K. and A. Hennessy, "Suite B Profile for the 300 Bundle Security Protocol", draft-hennessy-bsp-suiteb- 301 profile-00 (work in progress), March 2012. 303 [RFC5050] Scott, K. and S. Burleigh, "Bundle Protocol 304 Specification", RFC 5050, DOI 10.17487/RFC5050, November 305 2007, . 307 [RFC6257] Symington, S., Farrell, S., Weiss, H., and P. Lovell, 308 "Bundle Security Protocol Specification", RFC 6257, 309 DOI 10.17487/RFC6257, May 2011, 310 . 312 [SP800-56A] 313 National Institute of Standards and Technology, 314 "Recommendation for Pair-wise Key Establishment Schemes 315 Using Discrete Logarithm Cryptography", NIST Special 316 Publication 800-56A, March 2007. 318 [SuiteB] U.S. National Security Agency, "Fact Sheet NSA Suite B 319 Cryptography", NIST Special Publication 800-56A, January 320 2009, 321 . 323 Author's Address 325 Edward J. Birrane 326 The Johns Hopkins University Applied Physics Laboratory 327 11100 Johns Hopkins Rd. 328 Laurel, MD 20723 329 US 331 Phone: +1 443 778 7423 332 Email: Edward.Birrane@jhuapl.edu