idnits 2.17.1 draft-bjhan-tls-seed-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document obsoletes RFC4162, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 15, 2011) is 4692 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'ISOSEED' is mentioned on line 216, but not defined == Unused Reference: 'ISO-SEED' is defined on line 326, but no explicit reference was found in the text ** Downref: Normative reference to an Informational RFC: RFC 4269 ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) ** Downref: Normative reference to an Informational RFC: RFC 5489 -- Possible downref: Non-RFC (?) normative reference: ref. 'GCM' Summary: 3 errors (**), 0 flaws (~~), 3 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 TLS Working Group B. Han 3 Internet Draft D. Shin 4 Obsoletes: 4162 H. Jeong 5 Intended Status: Standard Track Y. Won 6 Expires: December 17, 2011 KISA 7 June 15, 2011 9 Addition of SEED Cipher Suites to Transport Layer Security (TLS) 10 draft-bjhan-tls-seed-00 12 Abstract 14 This document proposes the addition of new cipher suites to the 15 Transport Layer Security (TLS) protocol to support the SEED 16 encryption algorithm as a block cipher algorithm. 18 Status of this Memo 20 This Internet-Draft is submitted to IETF in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF), its areas, and its working groups. Note that 25 other groups may also distribute working documents as 26 Internet-Drafts. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 The list of current Internet-Drafts can be accessed at 34 http://www.ietf.org/1id-abstracts.html 36 The list of Internet-Draft Shadow Directories can be accessed at 37 http://www.ietf.org/shadow.html 39 Copyright and License Notice 41 Copyright (c) 2011 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 1.1. SEED . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 59 2. Proposed Cipher Suites . . . . . . . . . . . . . . . . . . . . 4 60 2.1. HMAC-Based Cipher Suites . . . . . . . . . . . . . . . . . 4 61 2.2. GCM-Based Cipher Suites . . . . . . . . . . . . . . . . . 4 62 2.3. PSK Cipher Suites . . . . . . . . . . . . . . . . . . . . 5 63 3. Cipher Suite Definitions . . . . . . . . . . . . . . . . . . . 5 64 3.1. Key Exchange . . . . . . . . . . . . . . . . . . . . . . . 5 65 3.2. Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . 5 66 3.3. PRFs . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 67 3.4. PSK Cipher Suites . . . . . . . . . . . . . . . . . . . . 5 68 4. Security Considerations . . . . . . . . . . . . . . . . . . . 6 69 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 70 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 71 6.1 Normative References . . . . . . . . . . . . . . . . . . . 8 72 6.2 Informative References . . . . . . . . . . . . . . . . . . 9 73 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9 75 1. Introduction 77 This document specifies cipher suites for the Transport Layer 78 Security (TLS) [RFC5246] protocol to support the SEED [RFC4269] 79 encryption algorithm as a block cipher algorithm. The cipher suites 80 include variants using the SHA-2 family of cryptographic hash 81 functions and SEED Galois counter mode. Elliptic curve cipher suites 82 and pre-shared key (PSK) cipher suites are also defined. 84 The cipher suites with SHA-1 are not included in this document. Due 85 to recent analytic work on SHA-1 [Wang05], the IETF is gradually 86 moving away from SHA-1 and towards stronger hash algorithms. 88 The SEED cipher suites for TLS 1.0 originally specified in [RFC4162] 89 This document obsoletes RFC 4162. 91 1.1. SEED 93 SEED is a symmetric encryption algorithm that was developed by Korea 94 Internet & Security Agency (KISA) and a group of experts, beginning 95 in 1998. The input/output block size of SEED is 128-bit and the key 96 length is also 128-bit. SEED has the 16-round Feistel structure. A 97 128-bit input is divided into two 64-bit blocks and the right 64-bit 98 block is an input to the round function with a 64-bit subkey 99 generated from the key scheduling. 101 SEED is easily implemented in various software and hardware because 102 it is designed to increase the efficiency of memory storage and the 103 simplicity of generating keys without degrading the security of the 104 algorithm. In particular, it can be effectively adopted in a 105 computing environment that has a restricted resources such as mobile 106 devices, smart cards, and so on. 108 SEED is a national industrial association standard [TTASSEED] and is 109 widely used in South Korea for electronic commerce and financial 110 services operated on wired & wireless PKI. The SEED homepage, 111 http://seed.kisa.or.kr/eng/about/about.jsp, contains a wealth of 112 information about SEED, including detailed specification, evaluation 113 report, test vectors, and so on. 115 1.2. Terminology 117 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 118 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 119 document are to be interpreted as described in RFC 2119 [RFC2119]. 121 2. Proposed Cipher Suites 123 2.1. HMAC-Based Cipher Suites 125 The first ten cipher suites use SEED0 [RFC4269] in Cipher Block 126 Chaining (CBC) mode with a SHA-2 family Hashed Message Authentication 127 Code (HMAC). Eight out of twenty use elliptic curves. 129 CipherSuite TLS_RSA_WITH_SEED_128_CBC_SHA256 = { TBD,TBD }; 130 CipherSuite TLS_DH_DSS_WITH_SEED_128_CBC_SHA256 = { TBD,TBD }; 131 CipherSuite TLS_DH_RSA_WITH_SEED_128_CBC_SHA256 = { TBD,TBD }; 132 CipherSuite TLS_DHE_DSS_WITH_SEED_128_CBC_SHA256 = { TBD,TBD }; 133 CipherSuite TLS_DHE_RSA_WITH_SEED_128_CBC_SHA256 = { TBD,TBD }; 134 CipherSuite TLS_DH_anon_WITH_SEED_128_CBC_SHA256 = { TBD,TBD }; 136 CipherSuite TLS_ECDHE_ECDSA_WITH_SEED_128_CBC_SHA256 = { TBD,TBD }; 137 CipherSuite TLS_ECDH_ECDSA_WITH_SEED_128_CBC_SHA256 = { TBD,TBD }; 138 CipherSuite TLS_ECDHE_RSA_WITH_SEED_128_CBC_SHA256 = { TBD,TBD }; 139 CipherSuite TLS_ECDH_RSA_WITH_SEED_128_CBC_SHA256 = { TBD,TBD }; 141 2.2. GCM-Based Cipher Suites 143 The next ten cipher suites use the same asymmetric algorithms as 144 those in the previous section but use the authenticated encryption 145 modes defined in TLS 1.2 with the SEED in Galois Counter Mode 146 (GCM)[GCM]. 148 CipherSuite TLS_RSA_WITH_SEED_128_GCM_SHA256 = { TBD,TBD }; 149 CipherSuite TLS_DHE_RSA_WITH_SEED_128_GCM_SHA256 = { TBD,TBD }; 150 CipherSuite TLS_DH_RSA_WITH_SEED_128_GCM_SHA256 = { TBD,TBD }; 151 CipherSuite TLS_DHE_DSS_WITH_SEED_128_GCM_SHA256 = { TBD,TBD }; 152 CipherSuite TLS_DH_DSS_WITH_SEED_128_GCM_SHA256 = { TBD,TBD }; 153 CipherSuite TLS_DH_anon_WITH_SEED_128_GCM_SHA256 = { TBD,TBD }; 155 CipherSuite TLS_ECDHE_ECDSA_WITH_SEED_128_GCM_SHA256 = { TBD,TBD }; 156 CipherSuite TLS_ECDH_ECDSA_WITH_SEED_128_GCM_SHA256 = { TBD,TBD }; 157 CipherSuite TLS_ECDHE_RSA_WITH_SEED_128_GCM_SHA256 = { TBD,TBD }; 158 CipherSuite TLS_ECDH_RSA_WITH_SEED_128_GCM_SHA256 = { TBD,TBD }; 160 2.3. PSK Cipher Suites 162 The next seven cipher suites describe PSK cipher suites. Four cipher 163 suites use an HMAC and three cipher suites use the SEED Galois 164 Counter Mode. 166 CipherSuite TLS_PSK_WITH_SEED_128_CBC_SHA256 = { TBD,TBD }; 167 CipherSuite TLS_DHE_PSK_WITH_SEED_128_CBC_SHA256 = { TBD,TBD }; 168 CipherSuite TLS_RSA_PSK_WITH_SEED_128_CBC_SHA256 = { TBD,TBD }; 169 CipherSuite TLS_PSK_WITH_SEED_128_GCM_SHA256 = { TBD,TBD }; 170 CipherSuite TLS_DHE_PSK_WITH_SEED_128_GCM_SHA256 = { TBD,TBD }; 171 CipherSuite TLS_RSA_PSK_WITH_SEED_128_GCM_SHA256 = { TBD,TBD }; 172 CipherSuite TLS_ECDHE_PSK_WITH_SEED_128_CBC_SHA256 = { TBD,TBD }; 174 3. Cipher Suite Definitions 176 3.1. Key Exchange 178 The RSA, DHE_RSA, DH_RSA, DHE_DSS, DH_DSS, DH_anon, ECDH, and ECDHE 179 key exchanges are performed as defined in [RFC5246]. 181 3.2. Cipher 183 The SEED_128_CBC cipher suites use SEED [RFC4269] in CBC mode with a 184 128-bit key and 128-bit Initialization Vector (IV) 186 AES-authenticated encryption with additional data algorithms, 187 AEAD_AES_128_GCM is described in [RFC5116]. AES GCM cipher suites for 188 TLS are described in [RFC5288]. AES and SEED share common 189 characteristics, including key sizes and block length. SEED_128_GCM 190 is defined according to those characteristics of AES. 192 3.3. PRFs 194 The pseudorandom functions (PRFs) SHALL be as follows: 196 a. For cipher suites ending with _SHA256, the PRF is the TLS PRF 197 [RFC5246] using SHA-256 as the hash function. 199 b. For cipher suites ending with _SHA384, the PRF is the TLS PRF 200 [RFC5246] using SHA-384 as the hash function. 202 3.4. PSK Cipher Suites 204 Pre-shared key cipher suites for TLS are described in [RFC4279], 205 [RFC4785], [RFC5487], and [RFC5489]. 207 4. Security Considerations 209 At the time of writing this document, no security problem has been 210 found on SEED. SEED is robust against known attacks, including 211 differential cryptanalysis, linear cryptanalysis, and related key 212 attacks, etc. SEED has gone through wide public scrutinizing 213 procedures. Especially, it has been evaluated and also considered 214 cryptographically secure by trustworthy organizations such as ISO/IEC 215 JTC 1/SC 27 and Japan CRYPTREC (Cryptography Research and Evaluation 216 Committees) [ISOSEED] [CRYPTREC]. SEED has been standardized at 217 ISO/IEC JTC 1/SC 27 (ISO/IEC 18033-3). 219 For further security considerations, the reader is encouraged to read 220 [SEED-EVAL]. 222 The security considerations in the following RFCs apply to this 223 document as well: [RFC4279] [RFC4785] [RFC5116] [RFC5288] [RFC5289] 224 [RFC5487] and [GCM]. 226 5. IANA Considerations 228 IANA is requested to allocate the following numbers in the TLS Cipher 229 Suite Registry: 231 CipherSuite TLS_RSA_WITH_SEED_128_CBC_SHA256 = { TBD,TBD }; 232 CipherSuite TLS_DH_DSS_WITH_SEED_128_CBC_SHA256 = { TBD,TBD }; 233 CipherSuite TLS_DH_RSA_WITH_SEED_128_CBC_SHA256 = { TBD,TBD }; 234 CipherSuite TLS_DHE_DSS_WITH_SEED_128_CBC_SHA256 = { TBD,TBD }; 235 CipherSuite TLS_DHE_RSA_WITH_SEED_128_CBC_SHA256 = { TBD,TBD }; 236 CipherSuite TLS_DH_anon_WITH_SEED_128_CBC_SHA256 = { TBD,TBD }; 238 CipherSuite TLS_ECDHE_ECDSA_WITH_SEED_128_CBC_SHA256 = { TBD,TBD }; 239 CipherSuite TLS_ECDH_ECDSA_WITH_SEED_128_CBC_SHA256 = { TBD,TBD }; 240 CipherSuite TLS_ECDHE_RSA_WITH_SEED_128_CBC_SHA256 = { TBD,TBD }; 241 CipherSuite TLS_ECDH_RSA_WITH_SEED_128_CBC_SHA256 = { TBD,TBD }; 243 CipherSuite TLS_RSA_WITH_SEED_128_GCM_SHA256 = { TBD,TBD }; 244 CipherSuite TLS_DHE_RSA_WITH_SEED_128_GCM_SHA256 = { TBD,TBD }; 245 CipherSuite TLS_DH_RSA_WITH_SEED_128_GCM_SHA256 = { TBD,TBD }; 246 CipherSuite TLS_DHE_DSS_WITH_SEED_128_GCM_SHA256 = { TBD,TBD }; 247 CipherSuite TLS_DH_DSS_WITH_SEED_128_GCM_SHA256 = { TBD,TBD }; 248 CipherSuite TLS_DH_anon_WITH_SEED_128_GCM_SHA256 = { TBD,TBD }; 250 CipherSuite TLS_ECDHE_ECDSA_WITH_SEED_128_GCM_SHA256 = { TBD,TBD }; 251 CipherSuite TLS_ECDH_ECDSA_WITH_SEED_128_GCM_SHA256 = { TBD,TBD }; 252 CipherSuite TLS_ECDHE_RSA_WITH_SEED_128_GCM_SHA256 = { TBD,TBD }; 253 CipherSuite TLS_ECDH_RSA_WITH_SEED_128_GCM_SHA256 = { TBD,TBD }; 255 CipherSuite TLS_PSK_WITH_SEED_128_CBC_SHA256 = { TBD,TBD }; 256 CipherSuite TLS_DHE_PSK_WITH_SEED_128_CBC_SHA256 = { TBD,TBD }; 257 CipherSuite TLS_RSA_PSK_WITH_SEED_128_CBC_SHA256 = { TBD,TBD }; 258 CipherSuite TLS_PSK_WITH_SEED_128_GCM_SHA256 = { TBD,TBD }; 259 CipherSuite TLS_DHE_PSK_WITH_SEED_128_GCM_SHA256 = { TBD,TBD }; 260 CipherSuite TLS_RSA_PSK_WITH_SEED_128_GCM_SHA256 = { TBD,TBD }; 261 CipherSuite TLS_ECDHE_PSK_WITH_SEED_128_CBC_SHA256 = { TBD,TBD }; 263 6. References 265 6.1 Normative References 267 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 268 Requirement Levels", BCP 14, RFC 2119, March 1997. 270 [RFC4162] Lee, H., Yoon, J., and J. Lee, "Addition of SEED Cipher 271 Suites to Transport Layer Security (TLS)", RFC 4162, 272 August 2005. 274 [RFC4269] Lee, H., Lee, S., Yoon, J., Cheon, D., and J. Lee, "The 275 SEED Encryption Algorithm", RFC 4269, December 2005. 277 [RFC4279] Eronen, P., Ed., and H. Tschofenig, Ed., "Pre-Shared Key 278 Ciphersuites for Transport Layer Security (TLS)", 279 RFC 4279, December 2005. 281 [RFC4785] Blumenthal, U. and P. Goel, "Pre-Shared Key (PSK) 282 Ciphersuites with NULL Encryption for Transport Layer 283 Security (TLS)", RFC 4785, January 2007. 285 [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated 286 Encryption", RFC 5116, January 2008. 288 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 289 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 291 [RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois 292 Counter Mode (GCM) Cipher Suites for TLS", RFC 5288, 293 August 2008. 295 [RFC5289] Rescorla, E., "TLS Elliptic Curve Cipher Suites with SHA- 296 256/384 and AES Galois Counter Mode (GCM)", RFC 5289, 297 August 2008. 299 [RFC5487] Badra, M., "Pre-Shared Key Cipher Suites for TLS with SHA- 300 256/384 and AES Galois Counter Mode", RFC 5487, March 301 2009. 303 [RFC5489] Badra, M. and I. Hajjeh, "ECDHE_PSK Cipher Suites for 304 Transport Layer Security (TLS)", RFC 5489, March 2009. 306 [GCM] Dworkin, M., "Recommendation for Block Cipher Modes of 307 Operation: Galois/Counter Mode (GCM) and GMAC", NIST SP 308 800-38D, November 2007. 310 6.2 Informative References 312 [Wang05] Wang, X., Yin, Y., and H. Yu, "Finding Collisions in the 313 Full SHA-1", CRYPTO 2005, LNCS vol.3621, pp.17-36, August 314 2005. 316 [TTASSEED] Telecommunications Technology Association (TTA), South 317 Korea, "128-bit Symmetric Block Cipher (SEED)", TTAS.KO- 318 12.0004, September 1998, (In Korean) 319 http://www.tta.or.kr/English/new/main/index.htm 321 [CRYPTREC] Information-technology Promotion Agency (IPA), Japan, 322 CRYPTREC. "SEED Evaluation Report", February 2002, 323 http://seed.kisa.or.kr/seed/down/SEED_Evaluation_Report 324 _by_CRYPTREC.pdf 326 [ISO-SEED] ISO/IEC JTC 1/SC 27, "Encryption algorithms - Part 3: 327 Block ciphers", ISO/IEC 18033-3, December 2010. 329 [SEED-EVAL] KISA, "Self Evaluation Report", 330 http://seed.kisa.or.kr/seed/down/SEED_Self_Evaluation- 331 English.pdf 333 Authors' Addresses 335 Byoungjin Han 336 Korea Internet & Security Agency 337 IT Venture Tower, Jungdaero 135, Songpa-gu, Seoul, Korea 138-950 338 Email: labon58@gmail.com, bjhan@kisa.or.kr 340 Donghoon Shin 341 Korea Internet & Security Agency 342 IT Venture Tower, Jungdaero 135, Songpa-gu, Seoul, Korea 138-950 343 Email: dhshin@kisa.or.kr 345 Hyuncheol Jeong 346 Korea Internet & Security Agency 347 IT Venture Tower, Jungdaero 135, Songpa-gu, Seoul, Korea 138-950 348 Email: hcjung@kisa.or.kr 350 Yoojae Won 351 Korea Internet & Security Agency 352 IT Venture Tower, Jungdaero 135, Songpa-gu, Seoul, Korea 138-950 353 Email: yjwon@kisa.or.kr