idnits 2.17.1 draft-josefsson-salsa20-tls-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (April 9, 2013) is 4033 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 2246 (Obsoleted by RFC 4346) ** Obsolete normative reference: RFC 4346 (Obsoleted by RFC 5246) ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) ** Obsolete normative reference: RFC 4347 (Obsoleted by RFC 6347) ** Obsolete normative reference: RFC 4492 (Obsoleted by RFC 8422) ** Obsolete normative reference: RFC 6347 (Obsoleted by RFC 9147) Summary: 6 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Josefsson 3 Internet-Draft SJD AB 4 Intended status: Informational J. Strombergson 5 Expires: October 11, 2013 Secworks Sweden AB 6 N. Mavrogiannopoulos 7 KU Leuven 8 April 9, 2013 10 The Salsa20 Stream Cipher for Transport Layer Security 11 draft-josefsson-salsa20-tls-02 13 Abstract 15 This document describe how the Salsa20 stream cipher can be used in 16 the Transport Layer Security (TLS) and Datagram Transport Layer 17 Security (DTLS) protocols. 19 Status of this Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at http://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on October 11, 2013. 36 Copyright Notice 38 Copyright (c) 2013 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 54 2. Salsa20 Cipher Suites . . . . . . . . . . . . . . . . . . . . 4 55 2.1. Salsa20 Cipher Suites with HMAC-SHA1 . . . . . . . . . . . 4 56 2.2. Salsa20 Cipher Suites with UMAC-96 . . . . . . . . . . . . 5 57 3. The TLS GenericStreamCipher . . . . . . . . . . . . . . . . . 6 58 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7 59 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 60 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 61 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 62 7.1. Normative References . . . . . . . . . . . . . . . . . . . 10 63 7.2. Informative References . . . . . . . . . . . . . . . . . . 10 64 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12 66 1. Introduction 68 This document describe how the Salsa20 stream cipher can be used in 69 the Transport Layer Security (TLS) version 1.0 [RFC2246], TLS version 70 1.1 [RFC4346], and TLS version 1.2 [RFC5246] protocols, as well as in 71 the Datagram Transport Layer Security (DTLS) versions 1.0 [RFC4347] 72 and 1.2 [RFC6347]. It can also be used with Secure Sockets Layer 73 (SSL) version 3.0 [RFC6101]. 75 Salsa20 [SALSA20SPEC] is a stream cipher that has been designed for 76 high performance in software implementations. The cipher has compact 77 implementation and uses few resources and inexpensive operations that 78 makes it suitable for implementation on a wide range of 79 architectures. It has been designed to prevent leakage of 80 information through side channel analysis, has a simple 81 initialization sequence and provides good key agility and 82 performance. Salsa20 is one of the ciphers selected as part of the 83 eSTREAM portfolio of stream ciphers [ESTREAM]. 85 Recent attacks [CBC-ATTACK] have indicated problems with CBC-mode 86 cipher suites in TLS and DTLS as well as issues with the only 87 supported stream cipher (RC4) [RC4-ATTACK]. While the existing AEAD 88 ciphersuites address these issues, concerns about their performance, 89 on general purpose CPUs, are sometimes raised [AEAD-PERFORMANCE]. 91 Moreover, the RC4 cipher cannot be used in DTLS because it does not 92 provide random access in the key stream. That allowed no choice of a 93 fast stream cipher in the context of DTLS. 95 The purpose of this document is to provide an alternative stream 96 cipher for both TLS and DTLS that is comparable to RC4 in speed on a 97 wide range of platforms. 99 2. Salsa20 Cipher Suites 101 The following variants of Salsa20 are specified. The variants 102 provide a range of performance and security that can be selected as 103 appropriate. 105 ESTREAM_SALSA20: Salsa20 with 12 rounds and a 256 bit key. This 106 cipher is the high performant eSTREAM Salsa20 with 256 bit key. 108 SALSA20: Salsa20 with 20 rounds and a 256 bit key. This is the 109 original (conservative with respect to security) variant of 110 Salsa20. 112 In the next sections different ciphersuites are defined that utilize 113 the Salsa20 cipher combined with various MAC methods 115 In all cases, the pseudorandom function (PRF) for TLS 1.2 is the TLS 116 PRF with SHA-256 as the hash function. When used with TLS versions 117 prior to 1.2, the PRF is calculated as specified in the appropriate 118 version of the TLS specification. 120 2.1. Salsa20 Cipher Suites with HMAC-SHA1 122 The following CipherSuites are defined: 124 TLS_RSA_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} 125 TLS_RSA_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} 126 TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} 127 TLS_DHE_RSA_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} 128 TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} 129 TLS_ECDHE_RSA_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} 130 TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} 131 TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} 133 TLS_PSK_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} 134 TLS_PSK_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} 135 TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} 136 TLS_DHE_PSK_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} 137 TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} 138 TLS_RSA_PSK_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} 139 TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} 140 TLS_ECDHE_PSK_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} 142 Note that Salsa20 requires a 64-bit nonce. That nonce is updated on 143 the encryption of every TLS record, and is set to be the 64-bit TLS 144 record sequence number. In case of DTLS the 64-bit nonce is formed 145 as the concatenation of the 16-bit epoch with the 48-bit sequence 146 number. 148 The RSA, DHE_RSA, ECDHE_RSA, ECDHE_ECDSA, PSK, DHE_PSK, RSA_PSK, 149 ECDHE_PSK key exchanges are performed as defined in [RFC5246], 150 [RFC4492], and [RFC5489]. 152 The MAC algorithm used in the ciphersuites above is HMAC-SHA1 153 [RFC6234]. 155 2.2. Salsa20 Cipher Suites with UMAC-96 157 The following CipherSuites utilize Salsa20 in combination with 158 UMAC-96 [RFC4418], a very fast MAC algorithm based on Universal 159 Hashing. 161 TLS_RSA_WITH_ESTREAM_SALSA20_UMAC96 = {0xTBD, 0xTBD} 162 TLS_RSA_WITH_SALSA20_UMAC96 = {0xTBD, 0xTBD} 163 TLS_DHE_RSA_WITH_ESTREAM_SALSA20_UMAC96 = {0xTBD, 0xTBD} 164 TLS_DHE_RSA_WITH_SALSA20_UMAC96 = {0xTBD, 0xTBD} 165 TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_UMAC96 = {0xTBD, 0xTBD} 166 TLS_ECDHE_RSA_WITH_SALSA20_UMAC96 = {0xTBD, 0xTBD} 167 TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_UMAC96 = {0xTBD, 0xTBD} 168 TLS_ECDHE_ECDSA_WITH_SALSA20_UMAC96 = {0xTBD, 0xTBD} 170 TLS_PSK_WITH_ESTREAM_SALSA20_UMAC96 = {0xTBD, 0xTBD} 171 TLS_PSK_WITH_SALSA20_UMAC96 = {0xTBD, 0xTBD} 172 TLS_DHE_PSK_WITH_ESTREAM_SALSA20_UMAC96 = {0xTBD, 0xTBD} 173 TLS_DHE_PSK_WITH_SALSA20_UMAC96 = {0xTBD, 0xTBD} 174 TLS_RSA_PSK_WITH_ESTREAM_SALSA20_UMAC96 = {0xTBD, 0xTBD} 175 TLS_RSA_PSK_WITH_SALSA20_UMAC96 = {0xTBD, 0xTBD} 176 TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_UMAC96 = {0xTBD, 0xTBD} 177 TLS_ECDHE_PSK_WITH_SALSA20_UMAC96 = {0xTBD, 0xTBD} 179 Note that both Salsa20 and UMAC-96 are used with a 64-bit nonce. 180 That nonce is set to be the 64-bit TLS record sequence number. In 181 case of DTLS the 64-bit nonce is formed as the concatenation of the 182 16-bit epoch with the 48-bit sequence number. 184 The RSA, DHE_RSA, ECDHE_RSA, ECDHE_ECDSA, PSK, DHE_PSK, RSA_PSK, 185 ECDHE_PSK key exchanges are performed as defined in [RFC5246], 186 [RFC4492], and [RFC5489]. 188 3. The TLS GenericStreamCipher 190 The ciphersuites defined in this document differ from the TLS RC4 191 ciphersuites that have been the basis for the definition of 192 GenericStreamCipher. Unlike RC4, Salsa20 requires a nonce per 193 record. This however, does not affect the description of the 194 GenericStreamCipher if one assumes that a nonce is optional and 195 depends on the cipher's characteristics (in that case RC4 uses a 0 196 byte nonce, and Salsa20 an 8-byte nonce). 198 Moreover, in order to accommodate MAC algorithms like UMAC that 199 require a nonce as part of their operation, the document extends the 200 MAC algorithm as specified in the TLS protocol. The extended MAC 201 includes a nonce as a second parameter. MAC algorithms that do not 202 require a nonce, such as HMAC, are assumed to ignore the nonce input 203 value. The MAC in a GenericStreamCipher is then calculated as 204 follows. 206 MAC(MAC_write_key, nonce, 207 seq_num + 208 TLSCompressed.type + 209 TLSCompressed.version + 210 TLSCompressed.length + 211 TLSCompressed.fragment); 213 where "+" denotes concatenation. 215 nonce The nonce for this record. If the size of the nonce accepted 216 by the MAC is 64-bits then nonce equals the sequence number (or 217 the concatenation of the 16-bit epoch with the 48-bit sequence 218 number in DTLS). Otherwise the MAC algorithm must specify how the 219 nonce is formed. 221 seq_num The sequence number for this record. 223 MAC The MAC algorithm specified by SecurityParameters.mac_algorithm. 225 As specified in TLS [RFC5246] the MAC is computed before encryption 226 and the stream cipher encrypts the entire block, including the MAC. 228 4. Acknowledgements 230 The authors would like to thank D. J. Bernstein, David McGrew, Wan- 231 Teh Chang, and Adam Langley for discussion and suggestions. 233 5. IANA Considerations 235 IANA is requested to allocate the following numbers in the TLS Cipher 236 Suite Registry: 238 TLS_RSA_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} 239 TLS_RSA_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} 240 TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} 241 TLS_DHE_RSA_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} 242 TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} 243 TLS_ECDHE_RSA_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} 244 TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} 245 TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} 247 TLS_PSK_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} 248 TLS_PSK_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} 249 TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} 250 TLS_DHE_PSK_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} 251 TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} 252 TLS_RSA_PSK_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} 253 TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} 254 TLS_ECDHE_PSK_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} 256 TLS_RSA_WITH_ESTREAM_SALSA20_UMAC96 = {0xTBD, 0xTBD} 257 TLS_RSA_WITH_SALSA20_UMAC96 = {0xTBD, 0xTBD} 258 TLS_DHE_RSA_WITH_ESTREAM_SALSA20_UMAC96 = {0xTBD, 0xTBD} 259 TLS_DHE_RSA_WITH_SALSA20_UMAC96 = {0xTBD, 0xTBD} 260 TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_UMAC96 = {0xTBD, 0xTBD} 261 TLS_ECDHE_RSA_WITH_SALSA20_UMAC96 = {0xTBD, 0xTBD} 262 TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_UMAC96 = {0xTBD, 0xTBD} 263 TLS_ECDHE_ECDSA_WITH_SALSA20_UMAC96 = {0xTBD, 0xTBD} 265 TLS_PSK_WITH_ESTREAM_SALSA20_UMAC96 = {0xTBD, 0xTBD} 266 TLS_PSK_WITH_SALSA20_UMAC96 = {0xTBD, 0xTBD} 267 TLS_DHE_PSK_WITH_ESTREAM_SALSA20_UMAC96 = {0xTBD, 0xTBD} 268 TLS_DHE_PSK_WITH_SALSA20_UMAC96 = {0xTBD, 0xTBD} 269 TLS_RSA_PSK_WITH_ESTREAM_SALSA20_UMAC96 = {0xTBD, 0xTBD} 270 TLS_RSA_PSK_WITH_SALSA20_UMAC96 = {0xTBD, 0xTBD} 271 TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_UMAC96 = {0xTBD, 0xTBD} 272 TLS_ECDHE_PSK_WITH_SALSA20_UMAC96 = {0xTBD, 0xTBD} 274 6. Security Considerations 276 The security of Salsa20 is discussed in the Salsa20 security 277 [SALSA20-SECURITY] paper. At the time of writing this document, 278 there are no known significant security problems with the eSTREAM 279 variant of Salsa20, nor with the original 20 round variant. As of 280 early 2013, the best cryptanalysis breaks 8 out of 20 rounds to 281 recover the 256-bit secret key in 2^251 operations, using 2^31 282 keystream pairs (see [SALSA20-ATTACK]). For more background, see the 283 eSTREAM report [ESTREAM]. 285 There are no ciphersuites defined in this document that utilize the 286 variant of Salsa20 with 128-bit key material, because (due to the 287 design of Salsa20) they provide no performance advantage over the 288 256-bit variant. 290 The ciphersuites that utilize UMAC-96 use a short MAC (96-bits), to 291 be consistent with the MAC size used in the TLS Finished messages, 292 which is also 96-bits, and thus allow room for more data in TLS 293 records. The security considerations of [RFC4418] also apply. 295 This document should not introduce any other security considerations 296 than those that directly follow from any use of the stream cipher 297 Salsa20 and those that directly follow from introducing any set of 298 stream cipher suites into TLS and DTLS. 300 7. References 302 7.1. Normative References 304 [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", 305 RFC 2246, January 1999. 307 [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security 308 (TLS) Protocol Version 1.1", RFC 4346, April 2006. 310 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 311 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 313 [RFC4347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 314 Security", RFC 4347, April 2006. 316 [RFC4418] Krovetz, T., "UMAC: Message Authentication Code using 317 Universal Hashing", RFC 4418, March 2006. 319 [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. 320 Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites 321 for Transport Layer Security (TLS)", RFC 4492, May 2006. 323 [RFC5489] Badra, M. and I. Hajjeh, "ECDHE_PSK Cipher Suites for 324 Transport Layer Security (TLS)", RFC 5489, March 2009. 326 [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 327 Security Version 1.2", RFC 6347, January 2012. 329 [RFC6234] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms 330 (SHA and SHA-based HMAC and HKDF)", RFC 6234, May 2011. 332 [SALSA20SPEC] 333 Bernstein, D., "Salsa20 specification", 334 WWW http://cr.yp.to/snuffle/spec.pdf, April 2005. 336 7.2. Informative References 338 [RFC6101] Freier, A., Karlton, P., and P. Kocher, "The Secure 339 Sockets Layer (SSL) Protocol Version 3.0", RFC 6101, 340 August 2011. 342 [SALSA20-SECURITY] 343 Bernstein, D., "Salsa20 security", 344 WWW http://cr.yp.to/snuffle/security.pdf, April 2005. 346 [ESTREAM] Babbage, S., DeCanniere, C., Cantenaut, A., Cid, C., 347 Gilbert, H., Johansson, T., Parker, M., Preneel, B., 348 Rijmen, V., and M. Robshaw, "The eSTREAM Portfolio (rev. 349 1)", WWW http://www.ecrypt.eu.org/stream/finallist.html, 350 September 2008. 352 [CBC-ATTACK] 353 AlFardan, N. and K. Paterson, "Lucky Thirteen: Breaking 354 the TLS and DTLS Record Protocols", IEEE Symposium on 355 Security and Privacy , 2013. 357 [RC4-ATTACK] 358 ISOBE, T., OHIGASHI, T., WATANABE, Y., and M. MORII, "Full 359 Plaintext Recovery Attack on Broadcast RC4", International 360 Workshop on Fast Software Encryption , 2013. 362 [AEAD-PERFORMANCE] 363 Krovetz, T. and P. Rogaway, "The Software Performance of 364 Authenticated-Encryption Modes", International Workshop on 365 Fast Software Encryption , 2011. 367 [SALSA20-ATTACK] 368 Aumasson, J-P., Fischer, S., Khazaei, S., Meier, W., and 369 C. Rechberger, "New Features of Latin Dances: Analysis of 370 Salsa, ChaCha, and Rumba", 371 WWW http://eprint.iacr.org/2007/472.pdf, 2007. 373 Authors' Addresses 375 Simon Josefsson 376 SJD AB 378 Email: simon@josefsson.org 379 URI: http://josefsson.org/ 381 Joachim Strombergson 382 Secworks Sweden AB 384 Email: joachim@secworks.se 385 URI: http://secworks.se/ 387 Nikos Mavrogiannopoulos 388 KU Leuven 390 Email: nikos.mavrogiannopoulos@esat.kuleuven.be