idnits 2.17.1 draft-mavrogiannopoulos-chacha-tls-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 16 instances of too long lines in the document, the longest one being 1 character in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 6, 2013) is 3788 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Unused Reference: 'VLSI-IMPL' is defined on line 272, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2246 (Obsoleted by RFC 4346) ** Obsolete normative reference: RFC 4346 (Obsoleted by RFC 5246) ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) ** Obsolete normative reference: RFC 4347 (Obsoleted by RFC 6347) ** Obsolete normative reference: RFC 4492 (Obsoleted by RFC 8422) ** Obsolete normative reference: RFC 6347 (Obsoleted by RFC 9147) == Outdated reference: A later version (-01) exists of draft-strombergson-chacha-test-vectors-00 Summary: 7 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group N. Mavrogiannopoulos 3 Internet-Draft Red Hat 4 Intended status: Informational J. Strombergson 5 Expires: June 9, 2014 Secworks Sweden AB 6 S. Josefsson 7 SJD AB 8 December 6, 2013 10 The ChaCha Stream Cipher for Transport Layer Security 11 draft-mavrogiannopoulos-chacha-tls-00 13 Abstract 15 This document describe how the Chacha stream cipher can be used in 16 the Transport Layer Security (TLS) and Datagram Transport Layer 17 Security (DTLS) protocols. 19 Status of this Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at http://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on June 9, 2014. 36 Copyright Notice 38 Copyright (c) 2013 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 54 2. Chacha Cipher Suites . . . . . . . . . . . . . . . . . . . . . 4 55 2.1. Chacha Cipher Suites with HMAC-SHA1 . . . . . . . . . . . 4 56 3. The TLS GenericStreamCipher . . . . . . . . . . . . . . . . . 5 57 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 6 58 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 59 6. Security Considerations . . . . . . . . . . . . . . . . . . . 8 60 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 61 7.1. Normative References . . . . . . . . . . . . . . . . . . . 9 62 7.2. Informative References . . . . . . . . . . . . . . . . . . 9 63 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11 65 1. Introduction 67 This document describe how the Chacha stream cipher can be used in 68 the Transport Layer Security (TLS) version 1.0 [RFC2246], TLS version 69 1.1 [RFC4346], and TLS version 1.2 [RFC5246] protocols, as well as in 70 the Datagram Transport Layer Security (DTLS) versions 1.0 [RFC4347] 71 and 1.2 [RFC6347]. It can also be used with Secure Sockets Layer 72 (SSL) version 3.0 [RFC6101]. 74 Chacha [CHACHASPEC] is a stream cipher that has been designed for 75 high performance in software implementations. The cipher has compact 76 implementation and uses few resources and inexpensive operations that 77 makes it suitable for implementation on a wide range of 78 architectures. It has been designed to prevent leakage of 79 information through side channel analysis, has a simple and fast key 80 setup and provides good overall performance. It is a variant of 81 Salsa20 [SALSA20SPEC] which is one of the selected ciphers in the 82 eSTREAM portfolio [ESTREAM]. 84 Recent attacks [CBC-ATTACK] have indicated problems with CBC-mode 85 cipher suites in TLS and DTLS as well as issues with the only 86 supported stream cipher (RC4) [RC4-ATTACK]. While the existing AEAD 87 ciphersuites address these issues, concerns about their performance, 88 on general purpose CPUs, are sometimes raised [AEAD-PERFORMANCE]. 89 Moreover, the DTLS protocol cannot take advantage of the fast RC4 90 stream cipher because it does not provide random access in the key 91 stream. 93 Therefore, a new stream cipher to replace RC4 and address all the 94 previous issues is needed. It is the purpose of this document to 95 describe a secure stream cipher for both TLS and DTLS that is 96 comparable to RC4 in speed on a wide range of platforms. 98 2. Chacha Cipher Suites 100 The variant of Chacha used in this draft is Chacha with 20 rounds and 101 a 256 bit key. This is the conservative with respect to security 102 variant of the Chacha family. Test vectors for this cipher can be 103 found at [I-D.strombergson-chacha-test-vectors]. 105 In the next sections different ciphersuites are defined that utilize 106 the Chacha cipher combined with various MAC methods. 108 In all cases, the pseudorandom function (PRF) for TLS 1.2 is the TLS 109 PRF with SHA-256 as the hash function. When used with TLS versions 110 prior to 1.2, the PRF is calculated as specified in the appropriate 111 version of the TLS specification. 113 2.1. Chacha Cipher Suites with HMAC-SHA1 115 The following CipherSuites are defined: (note that the third column 116 contains the suggested to IANA ciphersuite numbers) 118 TLS_RSA_WITH_CHACHA_SHA1 = {0xTBD, 0xTBD} {0xE5, 0x00} 119 TLS_ECDHE_RSA_WITH_CHACHA_SHA1 = {0xTBD, 0xTBD} {0xE5, 0x01} 120 TLS_ECDHE_ECDSA_WITH_CHACHA_SHA1 = {0xTBD, 0xTBD} {0xE5, 0x02} 122 TLS_PSK_WITH_CHACHA_SHA1 = {0xTBD, 0xTBD} {0xE5, 0x03} 123 TLS_ECDHE_PSK_WITH_CHACHA_SHA1 = {0xTBD, 0xTBD} {0xE5, 0x04} 124 TLS_RSA_PSK_WITH_CHACHA_SHA1 = {0xTBD, 0xTBD} {0xE5, 0x05} 126 TLS_DHE_PSK_WITH_CHACHA_SHA1 = {0xTBD, 0xTBD} {0xE5, 0x06} 127 TLS_DHE_RSA_WITH_CHACHA_SHA1 = {0xTBD, 0xTBD} {0xE5, 0x07} 129 Note that Chacha requires a 64-bit nonce. That nonce is updated on 130 the encryption of every TLS record, and is set to be the 64-bit TLS 131 record sequence number. In case of DTLS the 64-bit nonce is formed 132 as the concatenation of the 16-bit epoch with the 48-bit sequence 133 number. 135 The RSA, DHE_RSA, ECDHE_RSA, ECDHE_ECDSA, PSK, DHE_PSK, RSA_PSK, 136 ECDHE_PSK key exchanges are performed as defined in [RFC5246], 137 [RFC4492], and [RFC5489]. 139 The MAC algorithm used in the ciphersuites above is HMAC-SHA1 140 [RFC6234]. 142 3. The TLS GenericStreamCipher 144 The ciphersuites defined in this document differ from the TLS RC4 145 ciphersuites that have been the basis for the definition of 146 GenericStreamCipher. Unlike RC4, Chacha requires a nonce per record. 147 This however, does not affect the description of the 148 GenericStreamCipher if one assumes that a nonce is optional and 149 depends on the cipher's characteristics (in that case RC4 uses a 0 150 byte nonce, and Chacha an 8-byte nonce). 152 As specified in TLS [RFC5246] the MAC is computed before encryption 153 and the stream cipher encrypts the entire block, including the MAC. 155 4. Acknowledgements 157 The authors would like to thank Zooko Wilcox-OHearn and Samuel Neves 158 for suggestions that led to this draft. 160 5. IANA Considerations 162 IANA is requested to allocate the following numbers in the TLS Cipher 163 Suite Registry (note that the third column contains the suggested 164 ciphersuite numbers): 166 TLS_RSA_WITH_CHACHA_SHA1 = {0xTBD, 0xTBD} {0xE5, 0x00} 167 TLS_ECDHE_RSA_WITH_CHACHA_SHA1 = {0xTBD, 0xTBD} {0xE5, 0x01} 168 TLS_ECDHE_ECDSA_WITH_CHACHA_SHA1 = {0xTBD, 0xTBD} {0xE5, 0x02} 170 TLS_PSK_WITH_CHACHA_SHA1 = {0xTBD, 0xTBD} {0xE5, 0x03} 171 TLS_ECDHE_PSK_WITH_CHACHA_SHA1 = {0xTBD, 0xTBD} {0xE5, 0x04} 172 TLS_RSA_PSK_WITH_CHACHA_SHA1 = {0xTBD, 0xTBD} {0xE5, 0x05} 174 TLS_DHE_PSK_WITH_CHACHA_SHA1 = {0xTBD, 0xTBD} {0xE5, 0x06} 175 TLS_DHE_RSA_WITH_CHACHA_SHA1 = {0xTBD, 0xTBD} {0xE5, 0x07} 177 6. Security Considerations 179 Chacha follows the same basic principle as Salsa20, a cipher with 180 significant security review [SALSA20-SECURITY][ESTREAM]. At the time 181 of writing this document, there are no known significant security 182 problems with either cipher, and Chacha is shown to be more resistant 183 in certain attacks than Salsa20 [SALSA20-ATTACK]. Furthermore Chacha 184 was used as the core of the BLAKE hash function, a SHA3 finalist, 185 that had received considerable cryptanalytic attention [NIST-SHA3]. 187 This document should not introduce any other security considerations 188 than those that directly follow from any use of the stream cipher 189 Chacha and those that directly follow from introducing any set of 190 stream cipher suites into TLS and DTLS. 192 7. References 194 7.1. Normative References 196 [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", 197 RFC 2246, January 1999. 199 [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security 200 (TLS) Protocol Version 1.1", RFC 4346, April 2006. 202 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 203 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 205 [RFC4347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 206 Security", RFC 4347, April 2006. 208 [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. 209 Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites 210 for Transport Layer Security (TLS)", RFC 4492, May 2006. 212 [RFC5489] Badra, M. and I. Hajjeh, "ECDHE_PSK Cipher Suites for 213 Transport Layer Security (TLS)", RFC 5489, March 2009. 215 [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 216 Security Version 1.2", RFC 6347, January 2012. 218 [RFC6234] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms 219 (SHA and SHA-based HMAC and HKDF)", RFC 6234, May 2011. 221 [CHACHASPEC] 222 Bernstein, D., "Chacha, a variant of Salsa20", 223 WWW http://cr.yp.to/chacha/chacha-20080128.pdf, 224 January 2008. 226 7.2. Informative References 228 [I-D.strombergson-chacha-test-vectors] 229 Strombergson, J., "Test Vectors for the Stream Cipher 230 ChaCha", draft-strombergson-chacha-test-vectors-00 (work 231 in progress), October 2013. 233 [SALSA20SPEC] 234 Bernstein, D., "Salsa20 specification", 235 WWW http://cr.yp.to/snuffle/spec.pdf, April 2005. 237 [RFC6101] Freier, A., Karlton, P., and P. Kocher, "The Secure 238 Sockets Layer (SSL) Protocol Version 3.0", RFC 6101, 239 August 2011. 241 [SALSA20-SECURITY] 242 Bernstein, D., "Salsa20 security", 243 WWW http://cr.yp.to/snuffle/security.pdf, April 2005. 245 [ESTREAM] Babbage, S., DeCanniere, C., Cantenaut, A., Cid, C., 246 Gilbert, H., Johansson, T., Parker, M., Preneel, B., 247 Rijmen, V., and M. Robshaw, "The eSTREAM Portfolio (rev. 248 1)", WWW http://www.ecrypt.eu.org/stream/finallist.html, 249 September 2008. 251 [CBC-ATTACK] 252 AlFardan, N. and K. Paterson, "Lucky Thirteen: Breaking 253 the TLS and DTLS Record Protocols", IEEE Symposium on 254 Security and Privacy , 2013. 256 [RC4-ATTACK] 257 Isobe, T., Ohigashi, T., Watanabe, Y., and M. Morii, "Full 258 Plaintext Recovery Attack on Broadcast RC4", International 259 Workshop on Fast Software Encryption , 2013. 261 [AEAD-PERFORMANCE] 262 Krovetz, T. and P. Rogaway, "The Software Performance of 263 Authenticated-Encryption Modes", International Workshop on 264 Fast Software Encryption , 2011. 266 [SALSA20-ATTACK] 267 Aumasson, J-P., Fischer, S., Khazaei, S., Meier, W., and 268 C. Rechberger, "New Features of Latin Dances: Analysis of 269 Salsa, ChaCha, and Rumba", 270 WWW http://eprint.iacr.org/2007/472.pdf, 2007. 272 [VLSI-IMPL] 273 Henzen, L., Carbognani, F., and W. Fichtner, "VLSI 274 hardware evaluation of the stream ciphers Salsa20 and 275 ChaCha, and the compression function Rumba", 2008. 277 [NIST-SHA3] 278 Chang, S., Burr, W., Kelsey, J., Paul, S., and L. Bassham, 279 "Third-Round Report of the SHA-3 Cryptographic Hash 280 Algorithm Competition", 281 WWW http://dx.doi.org/10.6028/NIST.IR.7896, 2012. 283 Authors' Addresses 285 Nikos Mavrogiannopoulos 286 Red Hat 288 Email: nmav@redhat.com 290 Joachim Strombergson 291 Secworks Sweden AB 293 Email: joachim@secworks.se 294 URI: http://secworks.se/ 296 Simon Josefsson 297 SJD AB 299 Email: simon@josefsson.org 300 URI: http://josefsson.org/