idnits 2.17.1 draft-josefsson-salsa20-tls-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 32 instances of too long lines in the document, the longest one being 5 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (November 27, 2013) is 3802 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 2246 (Obsoleted by RFC 4346) ** Obsolete normative reference: RFC 4346 (Obsoleted by RFC 5246) ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) ** Obsolete normative reference: RFC 4347 (Obsoleted by RFC 6347) ** Obsolete normative reference: RFC 4492 (Obsoleted by RFC 8422) ** Obsolete normative reference: RFC 6347 (Obsoleted by RFC 9147) Summary: 7 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Josefsson 3 Internet-Draft SJD AB 4 Intended status: Informational J. Strombergson 5 Expires: May 31, 2014 Secworks Sweden AB 6 N. Mavrogiannopoulos 7 Red Hat 8 November 27, 2013 10 The Salsa20 Stream Cipher for Transport Layer Security 11 draft-josefsson-salsa20-tls-04 13 Abstract 15 This document describe how the Salsa20 stream cipher can be used in 16 the Transport Layer Security (TLS) and Datagram Transport Layer 17 Security (DTLS) protocols. 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at http://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on May 31, 2014. 36 Copyright Notice 38 Copyright (c) 2013 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 54 2. Salsa20 Cipher Suites . . . . . . . . . . . . . . . . . . . . 3 55 2.1. Salsa20 Cipher Suites with HMAC-SHA1 . . . . . . . . . . 3 56 3. The TLS GenericStreamCipher . . . . . . . . . . . . . . . . . 4 57 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 58 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 59 6. Security Considerations . . . . . . . . . . . . . . . . . . . 5 60 7. Algorithm Selection Background . . . . . . . . . . . . . . . 6 61 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 62 8.1. Normative References . . . . . . . . . . . . . . . . . . 6 63 8.2. Informative References . . . . . . . . . . . . . . . . . 7 64 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 66 1. Introduction 68 This document describe how the Salsa20 stream cipher can be used in 69 the Transport Layer Security (TLS) version 1.0 [RFC2246], TLS version 70 1.1 [RFC4346], and TLS version 1.2 [RFC5246] protocols, as well as in 71 the Datagram Transport Layer Security (DTLS) versions 1.0 [RFC4347] 72 and 1.2 [RFC6347]. It can also be used with Secure Sockets Layer 73 (SSL) version 3.0 [RFC6101]. 75 Salsa20 [SALSA20SPEC] is a stream cipher that has been designed for 76 high performance in software implementations. The cipher has compact 77 implementation and uses few resources and inexpensive operations that 78 makes it suitable for implementation on a wide range of 79 architectures. It has been designed to prevent leakage of 80 information through side channel analysis, has a simple and fast key 81 setup and provides good overall performance. Salsa20 is one of the 82 ciphers selected as part of the eSTREAM portfolio of stream ciphers 83 [ESTREAM]. 85 Recent attacks [CBC-ATTACK] have indicated problems with CBC-mode 86 cipher suites in TLS and DTLS as well as issues with the only 87 supported stream cipher (RC4) [RC4-ATTACK]. While the existing AEAD 88 ciphersuites address these issues, concerns about their performance, 89 on general purpose CPUs, are sometimes raised [AEAD-PERFORMANCE]. 90 Moreover, the DTLS protocol cannot take advantage of the fast RC4 91 stream cipher because it does not provide random access in the key 92 stream. 94 Therefore, a new stream cipher to replace RC4 and address all the 95 previous issues is needed. It is the purpose of this document to 96 describe a secure stream cipher for both TLS and DTLS that is 97 comparable to RC4 in speed on a wide range of platforms. 99 2. Salsa20 Cipher Suites 101 The following variants of Salsa20 are specified. The variants 102 provide a range of performance and security that can be selected as 103 appropriate. 105 ESTREAM_SALSA20: Salsa20 with 12 rounds and a 256 bit key. This 106 cipher is the high performant eSTREAM Salsa20 with 256 bit key. 108 SALSA20: Salsa20 with 20 rounds and a 256 bit key. This is the 109 original (conservative with respect to security) variant of 110 Salsa20. 112 In the next sections different ciphersuites are defined that utilize 113 the Salsa20 cipher combined with various MAC methods 115 In all cases, the pseudorandom function (PRF) for TLS 1.2 is the TLS 116 PRF with SHA-256 as the hash function. When used with TLS versions 117 prior to 1.2, the PRF is calculated as specified in the appropriate 118 version of the TLS specification. 120 2.1. Salsa20 Cipher Suites with HMAC-SHA1 122 The following CipherSuites are defined: (note that the third column 123 contains the suggested to IANA ciphersuite numbers) 124 TLS_RSA_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x10} 125 TLS_RSA_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x11} 127 TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x12} 128 TLS_ECDHE_RSA_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x13} 130 TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x14} 131 TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x15} 133 TLS_PSK_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x16} 134 TLS_PSK_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x17} 135 TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x18} 136 TLS_ECDHE_PSK_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x19} 138 TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x1A} 139 TLS_RSA_PSK_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x1B} 141 TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x1C} 142 TLS_DHE_PSK_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x1D} 144 TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x1E} 145 TLS_DHE_RSA_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x1F} 147 Note that Salsa20 requires a 64-bit nonce. That nonce is updated on 148 the encryption of every TLS record, and is set to be the 64-bit TLS 149 record sequence number. In case of DTLS the 64-bit nonce is formed 150 as the concatenation of the 16-bit epoch with the 48-bit sequence 151 number. 153 The RSA, DHE_RSA, ECDHE_RSA, ECDHE_ECDSA, PSK, DHE_PSK, RSA_PSK, 154 ECDHE_PSK key exchanges are performed as defined in [RFC5246], 155 [RFC4492], and [RFC5489]. 157 The MAC algorithm used in the ciphersuites above is HMAC-SHA1 158 [RFC6234]. 160 3. The TLS GenericStreamCipher 162 The ciphersuites defined in this document differ from the TLS RC4 163 ciphersuites that have been the basis for the definition of 164 GenericStreamCipher. Unlike RC4, Salsa20 requires a nonce per 165 record. This however, does not affect the description of the 166 GenericStreamCipher if one assumes that a nonce is optional and 167 depends on the cipher's characteristics (in that case RC4 uses a 0 168 byte nonce, and Salsa20 an 8-byte nonce). 170 As specified in TLS [RFC5246] the MAC is computed before encryption 171 and the stream cipher encrypts the entire block, including the MAC. 173 4. Acknowledgements 175 The authors would like to thank D. J. Bernstein, David McGrew, Wan- 176 Teh Chang, and Adam Langley for discussion and suggestions. 178 5. IANA Considerations 180 IANA is requested to allocate the following numbers in the TLS Cipher 181 Suite Registry (note that the third column contains the suggested 182 ciphersuite numbers): 184 TLS_RSA_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x10} 185 TLS_RSA_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x11} 187 TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x12} 188 TLS_ECDHE_RSA_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x13} 190 TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x14} 191 TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x15} 193 TLS_PSK_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x16} 194 TLS_PSK_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x17} 195 TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x18} 196 TLS_ECDHE_PSK_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x19} 198 TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x1A} 199 TLS_RSA_PSK_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x1B} 201 TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x1C} 202 TLS_DHE_PSK_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x1D} 204 TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x1E} 205 TLS_DHE_RSA_WITH_SALSA20_SHA1 = {0xTBD, 0xTBD} {0xE4, 0x1F} 207 6. Security Considerations 209 The security of Salsa20 is discussed in the Salsa20 security 210 [SALSA20-SECURITY] paper. At the time of writing this document, 211 there are no known significant security problems with the eSTREAM 212 variant of Salsa20, nor with the original 20 round variant. As of 213 early 2013, the best cryptanalysis breaks 8 out of 20 rounds to 214 recover the 256-bit secret key in 2^251 operations, using 2^31 215 keystream pairs (see [SALSA20-ATTACK]). For more background, see the 216 eSTREAM report [ESTREAM]. 218 There are no ciphersuites defined in this document that utilize the 219 variant of Salsa20 with 128-bit key material, because (due to the 220 design of Salsa20) they provide no performance advantage over the 221 256-bit variant. 223 This document should not introduce any other security considerations 224 than those that directly follow from any use of the stream cipher 225 Salsa20 and those that directly follow from introducing any set of 226 stream cipher suites into TLS and DTLS. 228 7. Algorithm Selection Background 230 This draft uses Salsa20, a winner of an international competion of 231 stream ciphers (eStream), which is easily implementable without 232 leaking information through side-channels, i.e. timing and power 233 attacks. 235 Suggestions has been made to instead use Chacha [CHACHASPEC], a 236 derivative of Salsa20 that has been shown to be 7% faster in hardware 237 and occupy 10% less space [VLSI-IMPL]. In our opinion the 238 performance benefits don't justify switching from a winner of an 239 international competition to another algorithm (even if it is a 240 derivative of it). 242 This draft adds a new cipher to existing TLS and DTLS implementations 243 which is combined with the existing MAC algorithms in TLS (i.e., 244 HMAC-SHA1). That allows the new cipher to replace the, currently 245 known to be broken, RC4 ciphersuites, in all TLS versions. 247 8. References 249 8.1. Normative References 251 [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", 252 RFC 2246, January 1999. 254 [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security 255 (TLS) Protocol Version 1.1", RFC 4346, April 2006. 257 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 258 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 260 [RFC4347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 261 Security", RFC 4347, April 2006. 263 [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. 264 Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites 265 for Transport Layer Security (TLS)", RFC 4492, May 2006. 267 [RFC5489] Badra, M. and I. Hajjeh, "ECDHE_PSK Cipher Suites for 268 Transport Layer Security (TLS)", RFC 5489, March 2009. 270 [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 271 Security Version 1.2", RFC 6347, January 2012. 273 [RFC6234] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms 274 (SHA and SHA-based HMAC and HKDF)", RFC 6234, May 2011. 276 [SALSA20SPEC] 277 Bernstein, D., "Salsa20 specification", WWW 278 http://cr.yp.to/snuffle/spec.pdf, April 2005. 280 8.2. Informative References 282 [RFC6101] Freier, A., Karlton, P., and P. Kocher, "The Secure 283 Sockets Layer (SSL) Protocol Version 3.0", RFC 6101, 284 August 2011. 286 [SALSA20-SECURITY] 287 Bernstein, D., "Salsa20 security", WWW 288 http://cr.yp.to/snuffle/security.pdf, April 2005. 290 [ESTREAM] Babbage, S., DeCanniere, C., Cantenaut, A., Cid, C., 291 Gilbert, H., Johansson, T., Parker, M., Preneel, B., 292 Rijmen, V., and M. Robshaw, "The eSTREAM Portfolio (rev. 293 1)", WWW http://www.ecrypt.eu.org/stream/finallist.html, 294 September 2008. 296 [CBC-ATTACK] 297 AlFardan, N. and K. Paterson, "Lucky Thirteen: Breaking 298 the TLS and DTLS Record Protocols", IEEE Symposium on 299 Security and Privacy , 2013. 301 [RC4-ATTACK] 302 Isobe, T., Ohigashi, T., Watanabe, Y., and M. Morii, "Full 303 Plaintext Recovery Attack on Broadcast RC4", International 304 Workshop on Fast Software Encryption , 2013. 306 [AEAD-PERFORMANCE] 307 Krovetz, T. and P. Rogaway, "The Software Performance of 308 Authenticated-Encryption Modes", International Workshop on 309 Fast Software Encryption , 2011. 311 [SALSA20-ATTACK] 312 Aumasson, J-P., Fischer, S., Khazaei, S., Meier, W., and 313 C. Rechberger, "New Features of Latin Dances: Analysis of 314 Salsa, ChaCha, and Rumba", WWW 315 http://eprint.iacr.org/2007/472.pdf, 2007. 317 [CHACHASPEC] 318 Bernstein, D., "ChaCha, a variant of Salsa20", WWW 319 http://cr.yp.to/chacha/chacha-20080128.pdf, January 2008. 321 [VLSI-IMPL] 322 Henzen, L., Carbognani, F., and W. Fichtner, "VLSI 323 hardware evaluation of the stream ciphers Salsa20 and 324 ChaCha, and the compression function Rumba.", 2008. 326 Authors' Addresses 328 Simon Josefsson 329 SJD AB 331 Email: simon@josefsson.org 332 URI: http://josefsson.org/ 334 Joachim Strombergson 335 Secworks Sweden AB 337 Email: joachim@secworks.se 338 URI: http://secworks.se/ 340 Nikos Mavrogiannopoulos 341 Red Hat 343 Email: nmav@redhat.com